7096 – Backport smbd memory corruption f42971c520360

Bug 7096 - Backport smbd memory corruption f42971c520360

Summary: Backport smbd memory corruption f42971c520360

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.5.0rc2
Hardware:	All All

Importance:	P3 major
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-03 13:24 UTC by Steven Danneman
Modified:	2010-02-04 04:11 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steven Danneman 2010-02-03 13:24:30 UTC

Need to backport my buffer overflow fix from master to 3.5.0 and 3.4.6  It's a
simple fix with very low risk.  The original master patch applies cleanly to
both branches.

commit 09eaeaec3ca200be9b7f8597aed7371d2b21c5c3
Author: Steven Danneman <steven.danneman@isilon.com>
Date:   Sat Jan 30 13:29:23 2010 -0800

    s3/smbd: Fix string buffer overflow causing heap corruption

    The destname malloc size was not taking into account the 1 extra byte
    needed if a string without a leading '/' was passed in and that slash
    was added.

    This would cause the '\0' byte to be written past the end of the
    malloced destname string and corrupt whatever heap memory was there.

    This problem would be hit if a share name was given in smb.conf without
    a leading '/' and if it was the exact size of the allocated STRDUP memory
    which in some implementations of malloc is a power of 2.

Comment 1 Jeremy Allison 2010-02-03 16:10:50 UTC

+1 from me - this is completely correct. Re-assigning to Karolin for inclusion in 3.5.0 and 3.4.6.
Jeremy.

Comment 2 Karolin Seeger 2010-02-04 04:11:15 UTC

Pushed to both branches.
Closing out bug report.

Thanks!