upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-01 23:45:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/netsmb
History
Conrad Meyer 51bcc337dd netsmb: Fix buggy/racy smb_strdupin() 
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size.  Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.

Later assumptions in the code rely upon the string being nul-terminated.

Just use copyinstr() and drop the racy sizing.

PR:		222687
Reported by:	Meng Xu <meng.xu AT gatech.edu>
Security:	possible local DoS
Sponsored by:	Dell EMC Isilon
2017-09-29 15:53:26 +00:00
..
netbios.h
smb.h
smb_conn.c
smb_conn.h
smb_crypt.c
smb_dev.c
smb_dev.h
smb_iod.c
smb_rq.c
smb_rq.h
smb_smb.c Remove unused SMB_DIALECT_MAX macro. 2016-04-20 21:13:24 +00:00
smb_subr.c netsmb: Fix buggy/racy smb_strdupin() 2017-09-29 15:53:26 +00:00
smb_subr.h
smb_tran.h
smb_trantcp.c
smb_trantcp.h
smb_usr.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00