The Samba-Bugzilla – Attachment 17723 Details for
Bug 15271
rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.17.next, 4.16.next.
0001-lib-replace-add-extra-check-to-bsd_attr_list.patch (text/plain), 1.86 KB, created by
Jeremy Allison
on 2023-01-10 21:27:17 UTC
(
hide
)
Description:
git-am fix for 4.17.next, 4.16.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2023-01-10 21:27:17 UTC
Size:
1.86 KB
patch
obsolete
>From d12a93f261b3dd216227ac8d02210bcd2890dd54 Mon Sep 17 00:00:00 2001 >From: Andrew Walker <awalker@ixsystems.com> >Date: Tue, 27 Dec 2022 10:59:14 -0500 >Subject: [PATCH] lib/replace - add extra check to bsd_attr_list >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >The FreeBSD extattr API may return success and truncated >namelist. We need to check for this in bsd_attr_list to >ensure that we don't accidentally read off the end of the >buffer. In the case of a truncated value, the pascal >strings for attr names will reflect the lengths as if >the value were not truncated. For example: >`58DosStrea` > >In case of short read we now set error to ERANGE and >fail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271 > >Signed-off-by: Andrew Walker <awalker@ixsystems.com> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Mon Jan 2 14:27:23 UTC 2023 on sn-devel-184 > >(cherry picked from commit 01cdc5e00be78a51f0766634cc7fe50de2088203) >--- > lib/replace/xattr.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c >index 4869367b7da..1044942f4b9 100644 >--- a/lib/replace/xattr.c >+++ b/lib/replace/xattr.c >@@ -267,6 +267,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size > > for(i = 0; i < list_size; i += len + 1) { > len = buf[i]; >+ >+ /* >+ * If for some reason we receive a truncated >+ * return from call to list xattrs the pascal >+ * string lengths will not be changed and >+ * therefore we must check that we're not >+ * reading garbage data or off end of array >+ */ >+ if (len + i >= list_size) { >+ errno = ERANGE; >+ return -1; >+ } > strncpy(list, extattr[t].name, extattr[t].len + 1); > list += extattr[t].len; > strncpy(list, buf + i + 1, len); >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jra
:
review?
(
awalker
)
Actions:
View
Attachments on
bug 15271
: 17723