Date: Fri, 29 Sep 2017 14:17:19 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 222687] smb_strdupin() does not properly check the length of string duped-in Message-ID: <bug-222687-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222687 Bug ID: 222687 Summary: smb_strdupin() does not properly check the length of string duped-in Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: meng.xu@gatech.edu In function smb_strdupin(), it first guesses the length of the input string (by incrementally read and testing for the NULL terminator) and then copyin the whole string from userspace. However, given that another user thread can "scramble" the userspace buffer while smb_strdupin() is in execution, it might result in a case where the string after second copyin is not=20 NULL terminated. This itself is not yet a very serious issue. However, it does become a bug later. smb_strdupin() is invoked in smb_usr_t2request() by t2p->t_name =3D smb_strdupin(dp->ioc_name, 128); And later in downstream functions=20 smb_t2_request(t2p) --> smb_t2_request_int(t2p) there is a call to t2p->t_name: nmlen =3D t2p->t_name ? strlen(t2p->t_name)= : 0 Now if t2p->t_name is not NULL terminated, calling strlen(t2p->t_name) will cause wield behaviors, such as invalid memory accesses. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222687-8>