aboutsummaryrefslogtreecommitdiff
path: root/sys/netsmb
diff options
context:
space:
mode:
authorConrad Meyer <cem@FreeBSD.org>2017-09-29 15:53:26 +0000
committerConrad Meyer <cem@FreeBSD.org>2017-09-29 15:53:26 +0000
commit51bcc337dd0465cfc1867814631e6d0b2432698f (patch)
tree4a6f76f07a3c0787de347f56ca71b1c08ad954e2 /sys/netsmb
parent451c2bec47d1be2658a5e9fc9fcac889e195ccc4 (diff)
downloadsrc-51bcc337dd0465cfc1867814631e6d0b2432698f.tar.gz
src-51bcc337dd0465cfc1867814631e6d0b2432698f.zip
netsmb: Fix buggy/racy smb_strdupin()
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon
Notes
Notes: svn path=/head/; revision=324102
Diffstat (limited to 'sys/netsmb')
-rw-r--r--sys/netsmb/smb_subr.c17
1 files changed, 3 insertions, 14 deletions
diff --git a/sys/netsmb/smb_subr.c b/sys/netsmb/smb_subr.c
index 2992f994b171..c4b97308d617 100644
--- a/sys/netsmb/smb_subr.c
+++ b/sys/netsmb/smb_subr.c
@@ -110,22 +110,11 @@ smb_strdup(const char *s)
char *
smb_strdupin(char *s, size_t maxlen)
{
- char *p, bt;
+ char *p;
int error;
- size_t len;
- len = 0;
- for (p = s; ;p++) {
- if (copyin(p, &bt, 1))
- return NULL;
- len++;
- if (maxlen && len > maxlen)
- return NULL;
- if (bt == 0)
- break;
- }
- p = malloc(len, M_SMBSTR, M_WAITOK);
- error = copyin(s, p, len);
+ p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK);
+ error = copyinstr(s, p, maxlen + 1, NULL);
if (error) {
free(p, M_SMBSTR);
return (NULL);