Possibility of Segmentation Fault on smbd/trans2.c
Kenichi Okuyama
okuyamak at dd.iij4u.or.jp
Mon Jan 15 05:57:07 GMT 2001
Dear all,
I think I found possibility of Segmentation Fault in
./source/smbd/trans2.c:reply_trans2().
At reply_trans2(), pointer "params" and "data" are sometimes NULL,
and sometimes being malloced, independently. Also, there's chance
that 'params' and 'data' are being requested to be so large that
multiple smb packets are required to transfer this data entirely.
Since so, there's while() loop inside reply_trans2(), which treats
2nd ( and afters ) smb transs2 packets.
Inside this while loop, memcpy() are being called, once for "params"
and once for "data". The problems are, that this is being called
without any check of "params"/"data" being NULL.
Here, we have possibility of having Segmentation Fault for ether
"params" or "data" whichever is being NULL, by chance.
# I don't think this is usual case, but that doesn't mean
# it will not happen.
I think following patch will cover this problem. This patch is for
HEAD branch.
best regards,
----
Kenichi Okuyama at Tokyo Research Lab. IBM-Japan, Co.
Index: ./samba/source/smbd/trans2.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/trans2.c,v
retrieving revision 1.156
diff -u -b -B -r1.156 trans2.c
--- ./samba/source/smbd/trans2.c 2000/12/11 22:31:25 1.156
+++ ./samba/source/smbd/trans2.c 2001/01/15 05:46:16
@@ -2340,10 +2340,16 @@
if (num_params_sofar > total_params || num_data_sofar > total_data)
exit_server("data overflow in trans2");
+ if (( params )&&( num_params )) {
+
memcpy( ¶ms[ SVAL(inbuf, smb_spsdisp)],
smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params);
+ }
+
+ if (( data )&&( num_data )) {
memcpy( &data[SVAL(inbuf, smb_sdsdisp)],
smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data);
+ }
}
}
More information about the samba-technical
mailing list