Possibility of Segmentation Fault on smbd/trans2.c
okuyamak at dd.iij4u.or.jp
Mon Jan 15 10:16:21 GMT 2001
>>>>> "MBA" == Michael B Allen <mballen at erols.com> writes:
>> Here, we have possibility of having Segmentation Fault for ether
>> "params" or "data" whichever is being NULL, by chance.
>> # I don't think this is usual case, but that doesn't mean
>> # it will not happen.
MBA> It's quite common that the number of parameters and/or number of data
MBA> bytes be 0. If for instance a TRANS2_QUERY_PATH_INFORMATION was returning
MBA> an ERRbadpath etc.
Isn't it only because number of parameters and data were both 0 or
bot non-0 till now? To have Segmentation fault by this, is to have
only one of the params/data being NULL, and transs2 packet having
non-0 length of parameter for that NULL pointered.
# Which usually means, broken packet.
MBA> But hey, it works right. That seems to be the theme here :~)
Maybe this is because we were running memcpy() even if length being
0. I thought it's implementation dependent about how memcpy() will
work when given length is 0.
# Well, I don't know about truth. Its nothing more than guess, after
# all. All I did was finding code written in dangerous patterns.
Kenichi Okuyama at Tokyo Research Lab. IBM-Japan, Co.
More information about the samba-technical