[SCM] Samba Shared Repository - branch master updated

Steven Danneman sdanneman at samba.org
Sat Jan 30 14:55:15 MST 2010

The branch, master has been updated
       via  f42971c... s3/smbd: Fix string buffer overflow causing heap corruption
      from  772d808... s4:ldb Fix check made conditional by mistake


- Log -----------------------------------------------------------------
commit f42971c520360e69c4cdd64bebb02a5f5ba49b94
Author: Steven Danneman <steven.danneman at isilon.com>
Date:   Sat Jan 30 13:29:23 2010 -0800

    s3/smbd: Fix string buffer overflow causing heap corruption
    The destname malloc size was not taking into account the 1 extra byte
    needed if a string without a leading '/' was passed in and that slash
    was added.
    This would cause the '\0' byte to be written past the end of the
    malloced destname string and corrupt whatever heap memory was there.
    This problem would be hit if a share name was given in smb.conf without
    a leading '/' and if it was the exact size of the allocated STRDUP memory
    which in some implementations of malloc is a power of 2.


Summary of changes:
 source3/smbd/service.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

Changeset truncated at 500 lines:

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 4859344..e8775ff 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -60,7 +60,8 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
 		return false;
-	destname = SMB_STRDUP(connectpath);
+	/* Allocate for strlen + '\0' + possible leading '/' */
+	destname = SMB_MALLOC(strlen(connectpath) + 2);
 	if (!destname) {
 		return false;

Samba Shared Repository

More information about the samba-cvs mailing list