String overflow in function make_group_line

Doug VanLeuven ldx at ibm.net
Fri Jun 18 18:17:14 GMT 1999 

Redhat 5.2, kernel 2.0.36, gcc 2.7.2.3-14, CVS 6-17-99
In log file:
ERROR: string overflow by 7 in safe_strcpy [michaele]
line:
'users::1401:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,keng'
group name users members: 292

function make_group_line loops thru the group list
repeatedly calling safe_strcpy to construct a group line.

Item #1
The string overflow appears to be caused by the define
#define PSTRING_LEN 1024
limiting the buffer lenth.
Anyone know of any unintended consequences changing
this to say 2048 ?

Item #2
In make_group line, the buffer pointer p is incremented
for the seperating comma, but not for the names.
However, max_len for the buffer is decremented for the
names, as well as the commas.  If the line is just commas,
I could get by with a limit of 1024 and only decrementing 1
per comma.

Item #3
In make_group_line, max_len is defined int and goes negative
after 1024 is used up, but safe_strcpy is size_t.  It isn't detected
and storage would be corrupted (if the names were being copied).
log file with my trace of variables:

TRACE:len=5, name=davet, max_len=23
TRACE:len=6, name=cordel, max_len=17
TRACE:len=8, name=gregoryw, max_len=10
ERROR: string overflow by 7 in safe_strcpy [michaele]
TRACE:len=8, name=michaele, max_len=1
TRACE:len=6, name=pennya, max_len=-8
TRACE:len=8, name=carolyne, max_len=-15

Item #4
The same conditions exist in
groupdb/aliasdb.c function make_alias_line
groupdb/builtindb.c function  make_builtin_line
groupdb/groupdb.c function make_group_line

I can fix this for myself, but I don't really know what was
the intent, only a guess.

-- Doug VanLeuven : 707-545-6933 (Voice) 707-545-6945 (fax)
Programmer/Analyst, SCWA : doug at scwa.ca.gov
Cheif Engineer, USMM : roamdad at ibm.net

More information about the samba-ntdom mailing list