BUG: possible buffer overrun in lp_string()

Luke Kenneth Casson Leighton lkcl at samba.org
Sun Jan 23 17:50:38 GMT 2000

there is no length-limiting in string_sub().  lp_string() uses a maximum
length allocation of old_string_size + 100, limited to 1024 bytes.

the use of standard_sub_basic() could potentially overwrite string


<a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
<a href="http://samba.org"        > Samba Web site                  </a>
<a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>
<a href="http://mcp.com"          > Macmillan Technical Publishing  </a>

 ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-technical mailing list