Bezüglich Conrad Meyer's Nachricht vom 29.09.2017 17:53 (localtime): > Author: cem > Date: Fri Sep 29 15:53:26 2017 > New Revision: 324102 > URL: https://svnweb.freebsd.org/changeset/base/324102 > > Log: > netsmb: Fix buggy/racy smb_strdupin() > > smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer > and then blindly copyin that size. Of course, a malicious user program > could simultaneously manipulate the buffer, resulting in a non-terminated > string being copied. > > Later assumptions in the code rely upon the string being nul-terminated. > > Just use copyinstr() and drop the racy sizing. > > PR: 222687 > Reported by: Meng Xu <meng.xu AT gatech.edu> > Security: possible local DoS > Sponsored by: Dell EMC Isilon
Does anybody want to MFC this one before 11.2? Thanks, -harry _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
