svn commit: r335781 - stable/10/contrib/smbfs/lib/smb

Thu Jun 28 21:23:06 UTC 2018

Author: brooks
Date: Thu Jun 28 21:23:05 2018
New Revision: 335781
URL: https://svnweb.freebsd.org/changeset/base/335781

Log:
  MFC r335641:
  
  Fix a stack overflow in mount_smbfs when hostname is too long.
  
  The local hostname was blindly copied into the to the nn_name array.
  When the hostname exceeded 16 bytes, it would overflow.  Truncate the
  hostname to 15 bytes plus a 0 terminator which is the "workstation name"
  suffix.
  
  Use defensive strlcpy() when filling nn_name in all cases.
  
  PR:		228354
  Reported by:	donald.buchholz at intel.com
  Reviewed by:	jpaetzel,  ian (prior version)
  Discussed with:	Security Officer (gtetlow)
  Security:	Stack overflow with the hostname.
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D15936

Modified:
  stable/10/contrib/smbfs/lib/smb/ctx.c
  stable/10/contrib/smbfs/lib/smb/nbns_rq.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/contrib/smbfs/lib/smb/ctx.c
==============================================================================

--- stable/10/contrib/smbfs/lib/smb/ctx.c	Thu Jun 28 21:16:50 2018	(r335780)
+++ stable/10/contrib/smbfs/lib/smb/ctx.c	Thu Jun 28 21:23:05 2018	(r335781)
@@ -549,7 +549,9 @@ smb_ctx_resolve(struct smb_ctx *ctx)
 	}
 	nn.nn_scope = ctx->ct_nb->nb_scope;
 	nn.nn_type = NBT_SERVER;
-	strcpy(nn.nn_name, ssn->ioc_srvname);
+	if (strlen(ssn->ioc_srvname) > NB_NAMELEN)
+		return NBERROR(NBERR_NAMETOOLONG);
+	strlcpy(nn.nn_name, ssn->ioc_srvname, sizeof(nn.nn_name));
 	error = nb_sockaddr(sap, &nn, &saserver);
 	nb_snbfree(sap);
 	if (error) {
@@ -565,7 +567,11 @@ smb_ctx_resolve(struct smb_ctx *ctx)
 		}
 		nls_str_upper(ctx->ct_locname, ctx->ct_locname);
 	}
-	strcpy(nn.nn_name, ctx->ct_locname);
+	/*
+	 * Truncate the local host name to NB_NAMELEN-1 which gives a
+	 * suffix of 0 which is "workstation name".
+	 */
+	strlcpy(nn.nn_name, ctx->ct_locname, NB_NAMELEN);
 	nn.nn_type = NBT_WKSTA;
 	nn.nn_scope = ctx->ct_nb->nb_scope;
 	error = nb_sockaddr(NULL, &nn, &salocal);

Modified: stable/10/contrib/smbfs/lib/smb/nbns_rq.c
==============================================================================
--- stable/10/contrib/smbfs/lib/smb/nbns_rq.c	Thu Jun 28 21:16:50 2018	(r335780)
+++ stable/10/contrib/smbfs/lib/smb/nbns_rq.c	Thu Jun 28 21:23:05 2018	(r335781)
@@ -74,7 +74,7 @@ nbns_resolvename(const char *name, struct nb_ctx *ctx,
 	if (error)
 		return error;
 	bzero(&nn, sizeof(nn));
-	strcpy(nn.nn_name, name);
+	strlcpy(nn.nn_name, name, sizeof(nn.nn_name));
 	nn.nn_scope = ctx->nb_scope;
 	nn.nn_type = NBT_SERVER;
 	rqp->nr_nmflags = NBNS_NMFLAG_RD;
