5860 – "string overflow in safe_strcpy" if "mangled names = no"

Bug 5860 - "string overflow in safe_strcpy" if "mangled names = no"

Summary: "string overflow in safe_strcpy" if "mangled names = no"

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.2
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.2.4
Hardware:	Sparc Solaris

Importance:	P3 normal
Target Milestone:	---
Assignee:	Volker Lendecke
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-10-30 08:29 UTC by Robert Dahlem
Modified:	2008-11-02 11:21 UTC (History)
CC List:	0 users

See Also:

Attachments
level 10 smbd.log (321.17 KB, application/octet-stream) 2008-10-30 08:33 UTC, Robert Dahlem	no flags	Details
tcpdump for the bug (62.75 KB, application/octet-stream) 2008-10-30 08:34 UTC, Robert Dahlem	no flags	Details
proposed patch (797 bytes, patch) 2008-11-02 03:27 UTC, Volker Lendecke	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Dahlem 2008-10-30 08:29:23 UTC

message "ERROR: string overflow by 1 (13 - 12) in safe_strcpy" keeps coming up.

The client is Windows XP Professionl SP2 (32 bit), 5.01.2600.

The bug depends on "mangeld names = no".

I followed it:
smbd/trans2.c:call_trans2findfirst()
    name_to_8_3(mask, mangled_name, True, conn->params);
smbd/mangle.c:name_to_8_3()
    if (!lp_manglednames(p)) {
        safe_strcpy(out,in,12);

In this case "mask" contains a long filename, so "in" is greater than 12.

Comment 1 Robert Dahlem 2008-10-30 08:33:21 UTC

Created attachment 3699 [details]
level 10 smbd.log

Comment 2 Robert Dahlem 2008-10-30 08:34:07 UTC

Created attachment 3700 [details]
tcpdump for the bug

Comment 3 Robert Dahlem 2008-11-02 02:57:26 UTC

This came in with revision 25009.

Comment was:
Large patch discussed with Volker. Move unix_convert to a talloc-based interface. More development will come on top of this. Remove the "mangled map" parameter. Jeremy.

http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_2/source/smbd/mangle.c?rev=25009&r1=23866&r2=25009

Comment 4 Volker Lendecke 2008-11-02 03:03:59 UTC

Looking at that piece of code tells me that the error message is annoying but no real functional problem. Is that right?

Volker

Comment 5 Robert Dahlem 2008-11-02 03:12:59 UTC

Indeed, no errors popped up so far.

But: "no real functional problem" is kind of an elastic term. :-)
5 users browsing through some directories gives you literally hundreds of log entries per second. Can't put that into production.

Comment 6 Volker Lendecke 2008-11-02 03:27:35 UTC

Created attachment 3705 [details]
proposed patch

Can you try the attached patch?

Thanks,

Volker

Comment 7 Robert Dahlem 2008-11-02 03:38:49 UTC

And gone the problem is. Thx!

Comment 8 Volker Lendecke 2008-11-02 03:42:26 UTC

Pushed upstream.

Thanks for the feedback,

Volker

Comment 9 Jeremy Allison 2008-11-02 11:21:50 UTC

Thanks for taking care of it Volker, that change would have been my suggestion too :-).