11363 – vfs_fruit doesn't check offset and size when serving AFP_AfpInfo stream read requests

Bug 11363 - vfs_fruit doesn't check offset and size when serving AFP_AfpInfo stream read requests

Summary: vfs_fruit doesn't check offset and size when serving AFP_AfpInfo stream read ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-25 12:59 UTC by Ralph Böhme
Modified:	2015-07-11 20:02 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Patch for master (5.50 KB, patch) 2015-06-25 14:35 UTC, Ralph Böhme	no flags	Details
Patch for master (5.44 KB, patch) 2015-07-02 10:16 UTC, Ralph Böhme	vl: review+	Details
Patch for 4.2 cherry-picked from master (5.99 KB, patch) 2015-07-03 09:03 UTC, Ralph Böhme	vl: review+	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2015-06-25 12:59:00 UTC

Looks like I left a gaping hole in fruit_pread when reading from the AFP_AfpInfo stream.

fruit_pread doesn't check the offset and length parameters and instead always writes 60 bytes, the size of the AFP_AfpInfo blob, to the the passed buffer. If the passed in buffer is smaller, we overwrite something somewhere. :/

Comment 1 Ralph Böhme 2015-06-25 14:35:32 UTC

Created attachment 11201 [details]
Patch for master

Patch and torture test for master.

Comment 2 Volker Lendecke 2015-06-26 08:57:41 UTC

Comment on attachment 11201 [details]
Patch for master

if (offset + n > AFP_INFO_SIZE) {

Can't offset+n overflow here?

Comment 3 Ralph Böhme 2015-07-02 10:16:19 UTC

Created attachment 11224 [details]
Patch for master

Thanks! This one hopefully doees it right.

Comment 4 Ralph Böhme 2015-07-03 09:03:48 UTC

Created attachment 11227 [details]
Patch for 4.2 cherry-picked from master

Comment 5 Ralph Böhme 2015-07-03 09:17:09 UTC

Reassigning to Karolin for inclusion in 4.2.

Comment 6 Karolin Seeger 2015-07-05 19:29:22 UTC

Pushed to autobuild-v4-2-test.

Comment 7 Karolin Seeger 2015-07-11 20:02:40 UTC

(In reply to Karolin Seeger from comment #6)
Pushed to v4-2-test.
Closing out bug report.

Thanks!