Bug 10758 - nstrcpy size wrong (potential overflow)
Summary: nstrcpy size wrong (potential overflow)
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.1.11
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-04 09:52 UTC by dean
Modified: 2014-09-03 07:13 UTC (History)
0 users

See Also:


Attachments
Patch from master (1.14 KB, patch)
2014-08-04 09:58 UTC, Volker Lendecke
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description dean 2014-08-04 09:52:13 UTC
samba-4.1.11\lib\util\string_wrappers.h

line 49:

#define nstrcpy(d,s) \
do { \
	const char *_nstrcpy_src = (const char *)(s); \
	strlcpy((d),_nstrcpy_src ? _nstrcpy_src : "",sizeof(fstring)); \
} while (0)


nstrcpy is intended for use on typedef nstring which has len 16:

#define MAX_NETBIOSNAME_LEN 16
typedef char nstring[MAX_NETBIOSNAME_LEN];

fstring is 256 bytes.

Using nstrcpy() will allow 256 bytes to be copied into a buffer of only 16 bytes, leading to a stack overflow.
Comment 1 Volker Lendecke 2014-08-04 09:58:25 UTC
Created attachment 10172 [details]
Patch from master

This patch from master should fix it
Comment 2 Jeremy Allison 2014-08-04 15:43:12 UTC
Comment on attachment 10172 [details]
Patch from master

LGTM!
Comment 3 Jeremy Allison 2014-08-04 15:43:32 UTC
Re-assigning to Karolin for inclusion in 4.1.next, 4.0.next.
Comment 4 Karolin Seeger 2014-09-01 18:51:04 UTC
Pushed to autobuild-v4-[0|1]-test.
Comment 5 Karolin Seeger 2014-09-03 07:13:35 UTC
Pushed to both branches.
Closing out bug report.

Thanks!