[PATCH] s4/rpc_server/dnsserver/dnsdata.c: fix out-of-bound buffer access

Aurélien Aptel aaptel at suse.com
Fri Mar 4 11:23:27 UTC 2016


Another PVS fix.

on my 64bit machine:

  sizeof(&dns->data)  == sizeof(union DNS_RPC_DATA)  == 56
  sizeof(&dnsp->data) == sizeof(union dnsRecordData) == 40

thus the memcpy will read beyond dnsp->data size.

the unions have mismatching size because:

a) the rpc version has extra `length` uint8_t struct member on most
   string-type fields (aka "pascal strings")
b) struct layout/alignement resulting from (a)

the unions are defined by pidl-generated code and are just not meant to
store anything else than what they were designed for, which the
switch handles AFAIK.

The attached patch simply removes the memcpy() call. Another
(non-)solution would be to copy sizeof(dnsp->data) bytes but I don't
think it's right, as I said earlier.

Googling for the debug message printed afterward leads to a thread
here from 3 years ago [1] where the issue was a misconfiguration on
the Window side it seems.

Please review/comment


1: https://lists.samba.org/archive/samba/2013-September/175444.html

Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0012-s4-rpc_server-dnsserver-dnsdata.c-fix-out-of-bound-b.patch
Type: text/x-patch
Size: 1414 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160304/9882cf22/0012-s4-rpc_server-dnsserver-dnsdata.c-fix-out-of-bound-b.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160304/9882cf22/attachment.sig>

More information about the samba-technical mailing list