svn commit: r324102 - head/sys/netsmb
Harry Schmalzbauer
freebsd at omnilan.de
Sat Mar 31 09:17:08 UTC 2018
Bezüglich Conrad Meyer's Nachricht vom 29.09.2017 17:53 (localtime):
> Author: cem
> Date: Fri Sep 29 15:53:26 2017
> New Revision: 324102
> URL: https://svnweb.freebsd.org/changeset/base/324102
>
> Log:
> netsmb: Fix buggy/racy smb_strdupin()
>
> smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
> and then blindly copyin that size. Of course, a malicious user program
> could simultaneously manipulate the buffer, resulting in a non-terminated
> string being copied.
>
> Later assumptions in the code rely upon the string being nul-terminated.
>
> Just use copyinstr() and drop the racy sizing.
>
> PR: 222687
> Reported by: Meng Xu <meng.xu AT gatech.edu>
> Security: possible local DoS
> Sponsored by: Dell EMC Isilon
Does anybody want to MFC this one before 11.2?
Thanks,
-harry
More information about the svn-src-all
mailing list