[bug][security] buffer overflow in clirap.c/clientgen.c

[Samba-JP TAKAHASHI Motonobu]

Hello,

We, Samba-JP found a security bug in Samba 2.0.9/Samba 2.2.0.

In Japanese environment dos_to_unix() and unix_to_dos() changes the
length of the string. for example under 'coding system = HEX', a
SJIS-encoded character 0x815a(2bytes) changes ":81:5a" (6bytes) of an
HEX encoded string. This causes a buffer-overflow.

This is a patch to fix it in clientgen.c/clirap.c.

AND there remains this kind of problem in current Samba code.

In Samba Japanese Edition, we removed all dos_to_unix(,True) and
unix_to_dos(, True). And in order to do this, we adjusted the place of
calling dos_to_unix() and unix_to_dos() to convert character code in
proper place.

samba-2.0.9
---- Cut Here ----
--- libsmb/clientgen.c.org	Wed Jun 20 03:40:33 2001
+++ libsmb/clientgen.c	Wed Jun 20 03:47:18 2001
@@ -644,9 +644,11 @@
 		      int type = SVAL(p,14);
 		      int comment_offset = IVAL(p,16) & 0xFFFF;
 		      char *cmnt = comment_offset?(rdata+comment_offset-converter):"";
-			  dos_to_unix(sname,True);
-			  dos_to_unix(cmnt,True);
-		      fn(sname, type, cmnt);
+		      pstring s1, s2; 
+  
+                      dos_to_unix(s1, sname); 
+		      dos_to_unix(s2, cmnt); 
+		      fn(s1, type, s2); 
 	      }
       } else {
 	      DEBUG(4,("NetShareEnum res=%d\n", res));
@@ -719,13 +721,15 @@
 				char *sname = p;
 				int comment_offset = (IVAL(p,22) & 0xFFFF)-converter;
 				char *cmnt = comment_offset?(rdata+comment_offset):"";
+				pstring s1, s2;
 				if (comment_offset < 0 || comment_offset > rdrcnt) continue;
 
 				stype = IVAL(p,18) & ~SV_TYPE_LOCAL_LIST_ONLY;
 
-				dos_to_unix(sname, True);
-				dos_to_unix(cmnt, True);
-				fn(sname, stype, cmnt);
+				dos_to_unix(s1, sname); 
+				dos_to_unix(s2, cmnt); 
+   
+				fn(s1, stype, s2); 
 			}
 		}
 	}
---- Cut Here ----

samba-2.2-HEAD
---- Cut Here ----
diff -ur ../../samba/source/libsmb/clirap.c ./libsmb/clirap.c
--- ../../samba/source/libsmb/clirap.c	Mon Mar 12 06:50:08 2001
+++ ./libsmb/clirap.c	Tue Jun 19 10:54:26 2001
@@ -179,9 +179,11 @@
 					int type = SVAL(p,14);
 					int comment_offset = IVAL(p,16) & 0xFFFF;
 					char *cmnt = comment_offset?(rdata+comment_offset-converter):"";
-					dos_to_unix(sname,True);
-					dos_to_unix(cmnt,True);
-					fn(sname, type, cmnt, state);
+					pstring s1, s2;
+
+					pstrcpy(s1, dos_to_unix(sname, False));
+					pstrcpy(s2, dos_to_unix(cmnt, False));
+					fn(s1, type, s2, state);
 				}
 			} else {
 				DEBUG(4,("NetShareEnum res=%d\n", res));
@@ -256,13 +258,15 @@
 				char *sname = p;
 				int comment_offset = (IVAL(p,22) & 0xFFFF)-converter;
 				char *cmnt = comment_offset?(rdata+comment_offset):"";
+				pstring s1, s2;
+
 				if (comment_offset < 0 || comment_offset > rdrcnt) continue;
 
 				stype = IVAL(p,18) & ~SV_TYPE_LOCAL_LIST_ONLY;
 
-				dos_to_unix(sname, True);
-				dos_to_unix(cmnt, True);
-				fn(sname, stype, cmnt, state);
+				pstrcpy(s1, dos_to_unix(sname, False));
+				pstrcpy(s2, dos_to_unix(cmnt, False));
+				fn(s1, type, s2, state);
 			}
 		}
 	}
---- Cut Here ----

-----
TAKAHASHI Motonobu                    mailto:monyo at samba.gr.jp
Samba Users Group Japan               http://www.samba.gr.jp/