svn commit: samba r23668 - in branches: SAMBA_3_0/source/lib
jra at samba.org
Mon Jul 2 17:07:24 GMT 2007
On Sun, Jul 01, 2007 at 04:19:40PM +0200, Michael Adam wrote:
> This was exactly my reasoning, why num_ucs2 can't wrap.
> But of course length itself is potentially dangerous here,
> since "length + 2" is passed to convert_string_talloc a
> couple of lines further down (since the function adds a
> (two byte) zero to the end of the input string.
> So what to do about that? Check for length >=
> (maximum of uint32) - 2 and return an error when
> this is the case?
That was the purpose of my alert - to make you
look at uses of user-privided data into *alloc
You need to fix this asap as it's currently
a security issue. Look at the code in smbd/trans2.c
You need to do something like :
if (length + 2 < length)
to check for wrap. And add some comments
explaining that "length" cannot be trusted
More information about the samba-technical