Module Name: src Committed By: christos Date: Tue Oct 3 15:27:10 UTC 2017
Modified Files: src/sys/netsmb: smb_subr.c Log Message: >From FreeBSD: netsmb: Fix buggy/racy smb_strdupin() smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/netsmb/smb_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netsmb/smb_subr.c diff -u src/sys/netsmb/smb_subr.c:1.38 src/sys/netsmb/smb_subr.c:1.39 --- src/sys/netsmb/smb_subr.c:1.38 Fri Jul 28 10:37:27 2017 +++ src/sys/netsmb/smb_subr.c Tue Oct 3 11:27:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $ */ +/* $NetBSD: smb_subr.c,v 1.39 2017/10/03 15:27:10 christos Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.39 2017/10/03 15:27:10 christos Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -114,20 +114,15 @@ smb_strdup(const char *s) char * smb_strdupin(char *s, size_t maxlen) { - char *p, bt; - size_t len = 0; + char *p; + int error; - for (p = s; ;p++) { - if (copyin(p, &bt, 1)) - return NULL; - len++; - if (maxlen && len > maxlen) - return NULL; - if (bt == 0) - break; + p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK); + error = copyinstr(s, p, maxlen + 1, NULL); + if (error) { + free(p, M_SMBSTR); + return NULL; } - p = malloc(len, M_SMBSTR, M_WAITOK); - copyin(s, p, len); return p; }