Bug 7584 - string overflow in safe_strcpy in call_trans2findfirst
Summary: string overflow in safe_strcpy in call_trans2findfirst
Status: NEW
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.5
Hardware: All All
: P3 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-25 17:08 UTC by Marcel Müller
Modified: 2010-07-25 17:08 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Müller 2010-07-25 17:08:31 UTC 
when compiling a large project with gcc on a LANMAN2 client (eCS) the server's samba logfile is flooded by entries like

[2010/07/25 23:09:00,  0] lib/util_str.c:safe_strcpy_fn(709)
  ERROR: string overflow by 1 (13 - 12) in safe_strcpy [playlistmenu.h?]

and the server's CPU load goes up to almost 100% (one core) with only little throughput.

Logfile: http://home.arcor.de/maazl/temp/log.mm2.bz2
Serach for "safe_strcpy".
[only an excerpt; there are hundreds of these errors for each compiled file.]

I have no stack traces from the error, but a rough analysis turned out that it is most probably related to some name mangling code at the end of call_trans2findfirst, because it immediately appears after the last debug line of this function.

if(!mangle_is_8_3_wildcards( mask, False, conn->params)) {
	char mangled_name[13];
	name_to_8_3(mask, mangled_name, True, conn->params);
}

I don't know what this code is good for, but I have mangled names turned off all the time. (It is not even useful with WinXX.) Maybe the code should not be executed if name mangling is disabled. But the cautionary comment prevented me from doing experiments with my server.

While I tested with samba 3.2.5 (debian stable), a quick look at the git sources showed that this is likely to be the same with samba 3.6.