[Bug 222687] smb_strdupin() does not properly check the length of string duped-in

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Sep 29 14:17:19 UTC 2017


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222687

            Bug ID: 222687
           Summary: smb_strdupin() does not properly check the length of
                    string duped-in
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: meng.xu at gatech.edu

In function smb_strdupin(), it first guesses the length of the input string
(by incrementally read and testing for the NULL terminator) and then copyin
the whole string from userspace. However, given that another user thread can
"scramble" the userspace buffer while smb_strdupin() is in execution,
it might result in a case where the string after second copyin is not 
NULL terminated.

This itself is not yet a very serious issue. However, it does become a bug
later. smb_strdupin() is invoked in smb_usr_t2request() by
t2p->t_name = smb_strdupin(dp->ioc_name, 128);
And later in downstream functions 
smb_t2_request(t2p) --> smb_t2_request_int(t2p)
there is a call to t2p->t_name: nmlen = t2p->t_name ? strlen(t2p->t_name) : 0

Now if t2p->t_name is not NULL terminated, calling strlen(t2p->t_name)
will cause wield behaviors, such as invalid memory accesses.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list