don't this cause Segmentation fault against DoS attack?
Kenichi Okuyama
okuyama at trl.ibm.co.jp
Fri Jun 30 07:40:54 GMT 2000
Dear all,
I want to know one thing.
In samba-2.0.7/source/process.c:
InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
is the way to allocate InBuffer. where
smb.h:27:#define BUFFER_SIZE (0xFFFF)
smb.h:28:#define SAFETY_MARGIN 1024
is being defined. But on the other hand,
smb.h:1384: #define smb_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|((PVAL(buf,1)&1)<<16))
... Which means maximum smb_len() return value can be upto
`0x1ffff'.
Now, if, someone wish to attack smbd, and created software that will
create SMB with length over (0xffff+1024), won't this cause smbd to
stop due to SEGMENTATION FAULT? or stepping on to memory chunk cause
some bad cracking?
or am I misreading something, and there is no problem about the
code???
Can anybody explain to me?
---
Kenichi Okuyama at Tokyo Research Lab. IBM Japan.Co.
More information about the samba-technical
mailing list