[SCM] Samba Shared Repository - branch v3-5-test updated
Karolin Seeger
kseeger at samba.org
Thu Feb 4 03:09:52 MST 2010
The branch, v3-5-test has been updated
via db5ccb7... s3/smbd: Fix string buffer overflow causing heap corruption
from ad17c1a... tdb: fix an early release of the global lock that can cause data corruption
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit db5ccb70b6ac51ea263889cc9cdd523673ae8ecd
Author: Steven Danneman <steven.danneman at isilon.com>
Date: Sat Jan 30 13:29:23 2010 -0800
s3/smbd: Fix string buffer overflow causing heap corruption
The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
was added.
This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.
This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
(cherry picked from commit f42971c520360e69c4cdd64bebb02a5f5ba49b94)
Fix bug #7096.
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/service.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 4859344..e8775ff 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -60,7 +60,8 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
return false;
}
- destname = SMB_STRDUP(connectpath);
+ /* Allocate for strlen + '\0' + possible leading '/' */
+ destname = SMB_MALLOC(strlen(connectpath) + 2);
if (!destname) {
return false;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list