Bug 5860 - "string overflow in safe_strcpy" if "mangled names = no"
Summary: "string overflow in safe_strcpy" if "mangled names = no"
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.4
Hardware: Sparc Solaris
: P3 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-30 08:29 UTC by Robert Dahlem
Modified: 2008-11-02 11:21 UTC (History)
0 users

See Also:


Attachments
level 10 smbd.log (321.17 KB, application/octet-stream)
2008-10-30 08:33 UTC, Robert Dahlem
no flags Details
tcpdump for the bug (62.75 KB, application/octet-stream)
2008-10-30 08:34 UTC, Robert Dahlem
no flags Details
proposed patch (797 bytes, patch)
2008-11-02 03:27 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Dahlem 2008-10-30 08:29:23 UTC
message "ERROR: string overflow by 1 (13 - 12) in safe_strcpy" keeps coming up.

The client is Windows XP Professionl SP2 (32 bit), 5.01.2600.

The bug depends on "mangeld names = no".

I followed it:
smbd/trans2.c:call_trans2findfirst()
    name_to_8_3(mask, mangled_name, True, conn->params);
smbd/mangle.c:name_to_8_3()
    if (!lp_manglednames(p)) {
        safe_strcpy(out,in,12);

In this case "mask" contains a long filename, so "in" is greater than 12.
Comment 1 Robert Dahlem 2008-10-30 08:33:21 UTC
Created attachment 3699 [details]
level 10 smbd.log
Comment 2 Robert Dahlem 2008-10-30 08:34:07 UTC
Created attachment 3700 [details]
tcpdump for the bug
Comment 3 Robert Dahlem 2008-11-02 02:57:26 UTC
This came in with revision 25009.

Comment was:
Large patch discussed with Volker. Move unix_convert to a talloc-based interface. More development will come on top of this. Remove the "mangled map" parameter. Jeremy.

http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_2/source/smbd/mangle.c?rev=25009&r1=23866&r2=25009
Comment 4 Volker Lendecke 2008-11-02 03:03:59 UTC
Looking at that piece of code tells me that the error message is annoying but no real functional problem. Is that right?

Volker
Comment 5 Robert Dahlem 2008-11-02 03:12:59 UTC
Indeed, no errors popped up so far.

But: "no real functional problem" is kind of an elastic term. :-)
5 users browsing through some directories gives you literally hundreds of log entries per second. Can't put that into production.
Comment 6 Volker Lendecke 2008-11-02 03:27:35 UTC
Created attachment 3705 [details]
proposed patch

Can you try the attached patch?

Thanks,

Volker
Comment 7 Robert Dahlem 2008-11-02 03:38:49 UTC
And gone the problem is. Thx!
Comment 8 Volker Lendecke 2008-11-02 03:42:26 UTC
Pushed upstream.

Thanks for the feedback,

Volker
Comment 9 Jeremy Allison 2008-11-02 11:21:50 UTC
Thanks for taking care of it Volker, that change would have been my suggestion too :-).