svn commit: samba r23668 - in branches: SAMBA_3_0/source/lib
SAMBA_3_0_26/source/lib
Michael Adam
ma at sernet.de
Sun Jul 1 00:04:36 GMT 2007
Jeremy: Wow, that was an immediate alert!
On Sat, Jun 30, 2007 at 04:53:49PM -0700, Jeremy Allison wrote:
> On Sat, Jun 30, 2007 at 11:52:24PM +0000, obnox at samba.org wrote:
> > Author: obnox
> > Date: 2007-06-30 23:52:23 +0000 (Sat, 30 Jun 2007)
> > New Revision: 23668
> >
> > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23668
> >
> > Log:
> > When creating a new string value, win2k regedit delivers
> > one byte of data despite characters being two-byte.
> >
> > This modifies registry_pull_value, to change the data
> > to the correct two-byte version of the empty string,
> > (as delivered by winxp), when only one byte of data is
> > received.
>
> > + if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, num_ucs2+1))) {
> > + err = WERR_NOMEM;
> > + goto error;
> > + }
> >
> > - if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, num_ucs2+1))) {
>
> DANGER DANGER !!!!! Does num_ucs2 come from the client ?
>
> You must check for integer wrap here otherwise you've
> just added a security hole !!!!
I did not create a security hole (kept at the worst):
This block of code was just indented one additional level.
num_ucs2 = length/2, length being passed to the function.
So there is no danger of wrap here. - right?
Michael
--
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
More information about the samba-technical
mailing list