Bug 7096 - Backport smbd memory corruption f42971c520360
Backport smbd memory corruption f42971c520360
Product: Samba 3.5
Classification: Unclassified
Component: File services
All All
: P3 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-02-03 13:24 UTC by Steven Danneman
Modified: 2010-02-04 04:11 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Steven Danneman 2010-02-03 13:24:30 UTC
Need to backport my buffer overflow fix from master to 3.5.0 and 3.4.6  It's a
simple fix with very low risk.  The original master patch applies cleanly to
both branches.

commit 09eaeaec3ca200be9b7f8597aed7371d2b21c5c3
Author: Steven Danneman <steven.danneman@isilon.com>
Date:   Sat Jan 30 13:29:23 2010 -0800

    s3/smbd: Fix string buffer overflow causing heap corruption

    The destname malloc size was not taking into account the 1 extra byte
    needed if a string without a leading '/' was passed in and that slash
    was added.

    This would cause the '\0' byte to be written past the end of the
    malloced destname string and corrupt whatever heap memory was there.

    This problem would be hit if a share name was given in smb.conf without
    a leading '/' and if it was the exact size of the allocated STRDUP memory
    which in some implementations of malloc is a power of 2.
Comment 1 Jeremy Allison 2010-02-03 16:10:50 UTC
+1 from me - this is completely correct. Re-assigning to Karolin for inclusion in 3.5.0 and 3.4.6.
Comment 2 Karolin Seeger 2010-02-04 04:11:15 UTC
Pushed to both branches.
Closing out bug report.