[bug][security] buffer overflow in clirap.c/clientgen.c
Samba-JP TAKAHASHI Motonobu
monyo at samba.gr.jp
Tue Jun 19 19:11:01 GMT 2001
Hello,
We, Samba-JP found a security bug in Samba 2.0.9/Samba 2.2.0.
In Japanese environment dos_to_unix() and unix_to_dos() changes the
length of the string. for example under 'coding system = HEX', a
SJIS-encoded character 0x815a(2bytes) changes ":81:5a" (6bytes) of an
HEX encoded string. This causes a buffer-overflow.
This is a patch to fix it in clientgen.c/clirap.c.
AND there remains this kind of problem in current Samba code.
In Samba Japanese Edition, we removed all dos_to_unix(,True) and
unix_to_dos(, True). And in order to do this, we adjusted the place of
calling dos_to_unix() and unix_to_dos() to convert character code in
proper place.
samba-2.0.9
---- Cut Here ----
--- libsmb/clientgen.c.org Wed Jun 20 03:40:33 2001
+++ libsmb/clientgen.c Wed Jun 20 03:47:18 2001
@@ -644,9 +644,11 @@
int type = SVAL(p,14);
int comment_offset = IVAL(p,16) & 0xFFFF;
char *cmnt = comment_offset?(rdata+comment_offset-converter):"";
- dos_to_unix(sname,True);
- dos_to_unix(cmnt,True);
- fn(sname, type, cmnt);
+ pstring s1, s2;
+
+ dos_to_unix(s1, sname);
+ dos_to_unix(s2, cmnt);
+ fn(s1, type, s2);
}
} else {
DEBUG(4,("NetShareEnum res=%d\n", res));
@@ -719,13 +721,15 @@
char *sname = p;
int comment_offset = (IVAL(p,22) & 0xFFFF)-converter;
char *cmnt = comment_offset?(rdata+comment_offset):"";
+ pstring s1, s2;
if (comment_offset < 0 || comment_offset > rdrcnt) continue;
stype = IVAL(p,18) & ~SV_TYPE_LOCAL_LIST_ONLY;
- dos_to_unix(sname, True);
- dos_to_unix(cmnt, True);
- fn(sname, stype, cmnt);
+ dos_to_unix(s1, sname);
+ dos_to_unix(s2, cmnt);
+
+ fn(s1, stype, s2);
}
}
}
---- Cut Here ----
samba-2.2-HEAD
---- Cut Here ----
diff -ur ../../samba/source/libsmb/clirap.c ./libsmb/clirap.c
--- ../../samba/source/libsmb/clirap.c Mon Mar 12 06:50:08 2001
+++ ./libsmb/clirap.c Tue Jun 19 10:54:26 2001
@@ -179,9 +179,11 @@
int type = SVAL(p,14);
int comment_offset = IVAL(p,16) & 0xFFFF;
char *cmnt = comment_offset?(rdata+comment_offset-converter):"";
- dos_to_unix(sname,True);
- dos_to_unix(cmnt,True);
- fn(sname, type, cmnt, state);
+ pstring s1, s2;
+
+ pstrcpy(s1, dos_to_unix(sname, False));
+ pstrcpy(s2, dos_to_unix(cmnt, False));
+ fn(s1, type, s2, state);
}
} else {
DEBUG(4,("NetShareEnum res=%d\n", res));
@@ -256,13 +258,15 @@
char *sname = p;
int comment_offset = (IVAL(p,22) & 0xFFFF)-converter;
char *cmnt = comment_offset?(rdata+comment_offset):"";
+ pstring s1, s2;
+
if (comment_offset < 0 || comment_offset > rdrcnt) continue;
stype = IVAL(p,18) & ~SV_TYPE_LOCAL_LIST_ONLY;
- dos_to_unix(sname, True);
- dos_to_unix(cmnt, True);
- fn(sname, stype, cmnt, state);
+ pstrcpy(s1, dos_to_unix(sname, False));
+ pstrcpy(s2, dos_to_unix(cmnt, False));
+ fn(s1, type, s2, state);
}
}
}
---- Cut Here ----
-----
TAKAHASHI Motonobu mailto:monyo at samba.gr.jp
Samba Users Group Japan http://www.samba.gr.jp/
More information about the samba-technical
mailing list