The Samba-Bugzilla – Attachment 7000 Details for
Bug 8528
SEGFAULT from net registry export on not zero terminated REG_SZ values
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patchset for v3-6-test
patchset (text/plain), 2.67 KB, created by
Gregor Beck (550 Unknown user)
on 2011-10-14 14:00:04 UTC
(
hide
)
Description:
patchset for v3-6-test
Filename:
MIME Type:
Creator:
Gregor Beck (550 Unknown user)
Created:
2011-10-14 14:00:04 UTC
Size:
2.67 KB
patch
obsolete
>From 811fda461d7be1916cbb3de1c0cac2f0995fefe4 Mon Sep 17 00:00:00 2001 >From: Gregor Beck <gbeck@sernet.de> >Date: Tue, 6 Sep 2011 09:24:10 +0200 >Subject: [PATCH 1/2] s3:registry: reg_format: handle unterminated REG_SZ blobs > >Signed-off-by: Michael Adam <obnox@samba.org> >(cherry picked from commit b9da4235566ffdd649d7b4a6ca05cecd02cfbd20) >--- > source3/registry/reg_format.c | 10 +++++++++- > 1 files changed, 9 insertions(+), 1 deletions(-) > >diff --git a/source3/registry/reg_format.c b/source3/registry/reg_format.c >index 658076c..77a27fc 100644 >--- a/source3/registry/reg_format.c >+++ b/source3/registry/reg_format.c >@@ -326,6 +326,12 @@ done: > return ret; > } > >+static bool is_zero_terminated_ucs2(const uint8_t* data, size_t len) { >+ const size_t idx = len/sizeof(smb_ucs2_t); >+ const smb_ucs2_t *str = (const smb_ucs2_t*)data; >+ return (idx > 0) && (str[idx] == 0); >+} >+ > int reg_format_value(struct reg_format* f, const char* name, uint32_t type, > const uint8_t* data, size_t len) > { >@@ -334,7 +340,9 @@ int reg_format_value(struct reg_format* f, const char* name, uint32_t type, > > switch (type) { > case REG_SZ: >- if (!(f->flags & REG_FMT_HEX_SZ)) { >+ if (!(f->flags & REG_FMT_HEX_SZ) >+ && is_zero_terminated_ucs2(data, len)) >+ { > char* str = NULL; > size_t dlen; > if (pull_ucs2_talloc(mem_ctx, &str, (const smb_ucs2_t*)data, &dlen)) { >-- >1.7.4.1 > > >From db869b042b12c15544eb744c2709cc24cd9b508a Mon Sep 17 00:00:00 2001 >From: Michael Adam <obnox@samba.org> >Date: Thu, 29 Sep 2011 18:06:56 +0200 >Subject: [PATCH 2/2] s3:registry: fix the test for a REG_SZ blob possibly being a zero terminated ucs2 string > >1. catch data blobs with odd number of bytes (not an ucs2 string at all) >2. test the right ucs2 character to be 0 > (prevent out-of bounds access/potential segfault) > >Autobuild-User: Michael Adam <obnox@samba.org> >Autobuild-Date: Sun Oct 2 01:26:05 CEST 2011 on sn-devel-104 >(cherry picked from commit 95bb2c23e6e9c52a1e34916dff05b1d306278bc6) >--- > source3/registry/reg_format.c | 11 ++++++++++- > 1 files changed, 10 insertions(+), 1 deletions(-) > >diff --git a/source3/registry/reg_format.c b/source3/registry/reg_format.c >index 77a27fc..db03961 100644 >--- a/source3/registry/reg_format.c >+++ b/source3/registry/reg_format.c >@@ -329,7 +329,16 @@ done: > static bool is_zero_terminated_ucs2(const uint8_t* data, size_t len) { > const size_t idx = len/sizeof(smb_ucs2_t); > const smb_ucs2_t *str = (const smb_ucs2_t*)data; >- return (idx > 0) && (str[idx] == 0); >+ >+ if ((len % sizeof(smb_ucs2_t)) != 0) { >+ return false; >+ } >+ >+ if (idx == 0) { >+ return false; >+ } >+ >+ return (str[idx-1] == 0); > } > > int reg_format_value(struct reg_format* f, const char* name, uint32_t type, >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
obnox
:
review+
Actions:
View
Attachments on
bug 8528
: 7000