string overflow error & patch
Doug VanLeuven
ldx at ibm.net
Thu Jun 24 23:19:43 GMT 1999
Redhat 5.2, kernel 2.0.36, gcc 2.7.2.3-14, CVS 6-17-99
Original error:
ERROR: string overflow by 7 in safe_strcpy [michaele]
line: 'users::1401:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,keng'
group name users members: 292
Item 1: make_group_line was failing to increment the
pointer after copiying each group name, only the commas
Item 2: make_group_line failed to cease trying to copying
names when the PSTRING_LEN limit was reached allowing
the max_len counter to go negative.
Item 3: safe_strcpy ignores the negative and would have
corrupted memory if make_group_line had actually
been incrementing for the names.
Item 4: groupdb/aliasdb.c, groupdb/builtindb.c, groupdb/groupdb.c
were all coded the same way, so the patch nees to be applied
to all three.
This is a minor error I don't know exactly what this would
have broken, but it seems it should be fixed. Anyone trying
to have groups with many members might be interested.
Please check my work.
===================================================================
RCS file: /cvsroot/samba/source/groupdb/aliasdb.c,v
retrieving revision 1.7
diff -u -r1.7 aliasdb.c
--- aliasdb.c 1998/12/07 17:23:46 1.7
+++ aliasdb.c 1999/06/24 22:37:21
@@ -474,14 +474,15 @@
for (i = 0; i < (*num_mem); i++)
{
len = strlen((*mem)[i].name);
- p = safe_strcpy(p, (*mem)[i].name, max_len);
-
- if (p == NULL)
- {
+ if (len < max_len) {
+ p = safe_strcpy(p, (*mem)[i].name, max_len);
+ }
+ else {
DEBUG(0, ("make_alias_line: out of space for aliases!\n"));
return False;
}
+ p += len;
max_len -= len;
if (i != (*num_mem)-1)
Index: groupdb/builtindb.c
===================================================================
RCS file: /cvsroot/samba/source/groupdb/builtindb.c,v
retrieving revision 1.2
diff -u -r1.2 builtindb.c
--- builtindb.c 1998/12/07 17:23:46 1.2
+++ builtindb.c 1999/06/24 22:37:22
@@ -453,14 +453,15 @@
for (i = 0; i < (*num_mem); i++)
{
len = strlen((*mem)[i].name);
- p = safe_strcpy(p, (*mem)[i].name, max_len);
-
- if (p == NULL)
- {
+ if (len < max_len) {
+ p = safe_strcpy(p, (*mem)[i].name, max_len);
+ }
+ else {
DEBUG(0, ("make_builtin_line: out of space for builtin aliases!\n"));
return False;
}
+ p += len;
max_len -= len;
if (i != (*num_mem)-1)
Index: groupdb/groupdb.c
===================================================================
RCS file: /cvsroot/samba/source/groupdb/groupdb.c,v
retrieving revision 1.5
diff -u -r1.5 groupdb.c
--- groupdb.c 1998/12/07 17:23:46 1.5
+++ groupdb.c 1999/06/24 22:37:22
@@ -472,14 +472,15 @@
for (i = 0; i < (*num_mem); i++)
{
len = strlen((*mem)[i].name);
- p = safe_strcpy(p, (*mem)[i].name, max_len);
-
- if (p == NULL)
- {
+ if (len < max_len) {
+ p = safe_strcpy(p, (*mem)[i].name, max_len);
+ }
+ else {
DEBUG(0, ("make_group_line: out of space for groups!\n"));
return False;
}
+ p += len;
max_len -= len;
if (i != (*num_mem)-1)
===================================================================
-- Doug VanLeuven - 707-545-6933 (voice) 707-545-6945 (fax)
Chief Engineer, USMM roamdad at ibm.net
Programmer/Analyst, SCWA doug at scwa.ca.gov
More information about the samba-technical
mailing list