The Samba-Bugzilla – Attachment 16586 Details for
Bug 14684
buffer overruns in talloc_string_sub2() due to false strstr_m matches
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The fix
patch.txt (text/plain), 3.29 KB, created by
Douglas Bagnall
on 2021-04-08 09:24:55 UTC
(
hide
)
Description:
The fix
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2021-04-08 09:24:55 UTC
Size:
3.29 KB
patch
obsolete
>From e7cc91845134cde3b3f37b735bf86fa0b1571983 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 8 Apr 2021 21:18:46 +1200 >Subject: [PATCH 1/2] util/iconv: reject improperly packed UTF-8 > >If we allow a string that encodes say '\0' as a multi-byte sequence, >we are open to confusion where we mix NUL terminated strings with >sized data blobs, which is to say EVERYWHERE. > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/util/charset/iconv.c | 32 +++++++++++++++++++++----------- > 1 file changed, 21 insertions(+), 11 deletions(-) > >diff --git a/lib/util/charset/iconv.c b/lib/util/charset/iconv.c >index 1f2d49c0e27..43b3306b0de 100644 >--- a/lib/util/charset/iconv.c >+++ b/lib/util/charset/iconv.c >@@ -832,6 +832,11 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft, > } > uc[1] = (c[0]>>2) & 0x7; > uc[0] = (c[0]<<6) | (c[1]&0x3f); >+ if (uc[1] == 0 && uc[0] < 0x80) { >+ /* this should have been a single byte */ >+ errno = EILSEQ; >+ goto error; >+ } > c += 2; > in_left -= 2; > out_left -= 2; >@@ -840,14 +845,24 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft, > } > > if ((c[0] & 0xf0) == 0xe0) { >+ unsigned int codepoint; > if (in_left < 3 || > (c[1] & 0xc0) != 0x80 || > (c[2] & 0xc0) != 0x80) { > errno = EILSEQ; > goto error; > } >- uc[1] = ((c[0]&0xF)<<4) | ((c[1]>>2)&0xF); >- uc[0] = (c[1]<<6) | (c[2]&0x3f); >+ codepoint = ((c[2] & 0x3f) | >+ ((c[1] & 0x3f) << 6) | >+ ((c[0] & 0x0f) << 12)); >+ >+ if (codepoint < 0x800) { >+ /* this should be a 1 or 2 byte sequence */ >+ errno = EILSEQ; >+ goto error; >+ } >+ uc[0] = codepoint & 0xff; >+ uc[1] = codepoint >> 8; > c += 3; > in_left -= 3; > out_left -= 2; >@@ -870,15 +885,10 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft, > ((c[1]&0x3f)<<12) | > ((c[0]&0x7)<<18); > if (codepoint < 0x10000) { >- /* accept UTF-8 characters that are not >- minimally packed, but pack the result */ >- uc[0] = (codepoint & 0xFF); >- uc[1] = (codepoint >> 8); >- c += 4; >- in_left -= 4; >- out_left -= 2; >- uc += 2; >- continue; >+ /* reject UTF-8 characters that are not >+ minimally packed */ >+ errno = EILSEQ; >+ goto error; > } > > codepoint -= 0x10000; >-- >2.20.1 > > >From 4efc3605fdb00dedc50bd6a4f13f5a3fba88a366 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 8 Apr 2021 21:20:17 +1200 >Subject: [PATCH 2/2] util/charset: warn loudly on unexpected E2BIG > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/util/charset/convert_string.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c >index 96a3af68d27..88b128be547 100644 >--- a/lib/util/charset/convert_string.c >+++ b/lib/util/charset/convert_string.c >@@ -435,8 +435,8 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic, > break; > case E2BIG: > reason = "output buffer is too small"; >- DBG_NOTICE("Conversion error: %s\n", >- reason); >+ DBG_ERR("Conversion error: %s\n", >+ reason); > break; > case EILSEQ: > reason="Illegal multibyte sequence"; >-- >2.20.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14684
:
16580
|
16581
|
16582
|
16583
|
16584
|
16585
| 16586 |
16655
|
16656