The Samba-Bugzilla – Bug 7096
Backport smbd memory corruption f42971c520360
Last modified: 2010-02-04 04:11:15 UTC
Need to backport my buffer overflow fix from master to 3.5.0 and 3.4.6 It's a
simple fix with very low risk. The original master patch applies cleanly to
Author: Steven Danneman <firstname.lastname@example.org>
Date: Sat Jan 30 13:29:23 2010 -0800
s3/smbd: Fix string buffer overflow causing heap corruption
The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.
This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
+1 from me - this is completely correct. Re-assigning to Karolin for inclusion in 3.5.0 and 3.4.6.
Pushed to both branches.
Closing out bug report.