BUG: possible buffer overrun in lp_string()
Luke Kenneth Casson Leighton
lkcl at samba.org
Sun Jan 23 17:50:38 GMT 2000
there is no length-limiting in string_sub(). lp_string() uses a maximum
length allocation of old_string_size + 100, limited to 1024 bytes.
the use of standard_sub_basic() could potentially overwrite string
buffers.
luke
<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://samba.org" > Samba Web site </a>
<a href="http://www.iss.net" > Internet Security Systems, Inc. </a>
<a href="http://mcp.com" > Macmillan Technical Publishing </a>
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals
More information about the samba-technical
mailing list