[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Mon Jan 2 14:28:01 UTC 2023 

The branch, master has been updated
       via  01cdc5e00be lib/replace - add extra check to bsd_attr_list
      from  a6136b88174 Happy New Year 2023!

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 01cdc5e00be78a51f0766634cc7fe50de2088203
Author: Andrew Walker <awalker at ixsystems.com>
Date:   Tue Dec 27 10:59:14 2022 -0500

    lib/replace - add extra check to bsd_attr_list
    
    The FreeBSD extattr API may return success and truncated
    namelist. We need to check for this in bsd_attr_list to
    ensure that we don't accidentally read off the end of the
    buffer. In the case of a truncated value, the pascal
    strings for attr names will reflect the lengths as if
    the value were not truncated. For example:
    `58DosStrea`
    
    In case of short read we now set error to ERANGE and
    fail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271
    
    Signed-off-by: Andrew Walker <awalker at ixsystems.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Mon Jan  2 14:27:23 UTC 2023 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 lib/replace/xattr.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)


Changeset truncated at 500 lines:

diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 4869367b7da..1044942f4b9 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -267,6 +267,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size
 
 		for(i = 0; i < list_size; i += len + 1) {
 			len = buf[i];
+
+			/*
+			 * If for some reason we receive a truncated
+			 * return from call to list xattrs the pascal
+			 * string lengths will not be changed and
+			 * therefore we must check that we're not
+			 * reading garbage data or off end of array
+			 */
+			if (len + i >= list_size) {
+				errno = ERANGE;
+				return -1;
+			}
 			strncpy(list, extattr[t].name, extattr[t].len + 1);
 			list += extattr[t].len;
 			strncpy(list, buf + i + 1, len);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list