svn commit: samba r23668 - in branches: SAMBA_3_0/source/lib SAMBA_3_0_26/source/lib

Jeremy Allison jra at samba.org
Mon Jul 2 17:07:24 GMT 2007


On Sun, Jul 01, 2007 at 04:19:40PM +0200, Michael Adam wrote:
> 
> This was exactly my reasoning, why num_ucs2 can't wrap.
> 
> But of course length itself is potentially dangerous here,
> since "length + 2" is passed to convert_string_talloc a
> couple of lines further down (since the function adds a
> (two byte) zero to the end of the input string.
> 
> So what to do about that? Check for length >= 
> (maximum of uint32) - 2  and return an error when
> this is the case?

That was the purpose of my alert - to make you
look at uses of user-privided data into *alloc
functions.

You need to fix this asap as it's currently
a security issue. Look at the code in smbd/trans2.c

You need to do something like :

if (length + 2 < length)

to check for wrap. And add some comments
explaining that "length" cannot be trusted
here.

Thansk,

	Jeremy.


More information about the samba-technical mailing list