From d12a93f261b3dd216227ac8d02210bcd2890dd54 Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Tue, 27 Dec 2022 10:59:14 -0500 Subject: [PATCH] lib/replace - add extra check to bsd_attr_list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The FreeBSD extattr API may return success and truncated namelist. We need to check for this in bsd_attr_list to ensure that we don't accidentally read off the end of the buffer. In the case of a truncated value, the pascal strings for attr names will reflect the lengths as if the value were not truncated. For example: `58DosStrea` In case of short read we now set error to ERANGE and fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271 Signed-off-by: Andrew Walker Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Jan 2 14:27:23 UTC 2023 on sn-devel-184 (cherry picked from commit 01cdc5e00be78a51f0766634cc7fe50de2088203) --- lib/replace/xattr.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c index 4869367b7da..1044942f4b9 100644 --- a/lib/replace/xattr.c +++ b/lib/replace/xattr.c @@ -267,6 +267,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size for(i = 0; i < list_size; i += len + 1) { len = buf[i]; + + /* + * If for some reason we receive a truncated + * return from call to list xattrs the pascal + * string lengths will not be changed and + * therefore we must check that we're not + * reading garbage data or off end of array + */ + if (len + i >= list_size) { + errno = ERANGE; + return -1; + } strncpy(list, extattr[t].name, extattr[t].len + 1); list += extattr[t].len; strncpy(list, buf + i + 1, len); -- 2.34.1