The branch, master has been updated
via 8f41142 smbd: Properly protect against invalid lock data
via 776db7d Fix is_legal_name() to not emit character conversion error
messages.
from 40db563 selftest: change to src dir for panic backtrace
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8f411425f6649422cb5ab94ec6ca392a02ec5ee5
Author: Volker Lendecke <v...@samba.org>
Date: Wed Sep 11 12:04:58 2013 +0000
smbd: Properly protect against invalid lock data
If someone messes with brlock.tdb and inserts an invalid record length,
this will lead to memcpy overwriting a few bytes behind malloc'ed data.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
commit 776db7d38597a29536e4127837ffa3b4f4ce35ab
Author: Jeremy Allison <j...@samba.org>
Date: Tue Sep 10 10:46:18 2013 -0700
Fix is_legal_name() to not emit character conversion error messages.
Using next_codepoint() does the same check, but without the conversion
message.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/locking/brlock.c | 6 ++++++
source3/smbd/mangle_hash2.c | 20 ++++++++------------
2 files changed, 14 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac54767..adbfc5f 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1976,6 +1976,12 @@ static struct byte_range_lock
*brl_get_locks_internal(TALLOC_CTX *mem_ctx,
data = dbwrap_record_get_value(br_lck->record);
}
+ if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+ DEBUG(3, ("Got invalid brlock data\n"));
+ TALLOC_FREE(br_lck);
+ return NULL;
+ }
+
br_lck->read_only = do_read_only;
br_lck->lock_data = NULL;
diff --git a/source3/smbd/mangle_hash2.c b/source3/smbd/mangle_hash2.c
index 655c727..c2910f8 100644
--- a/source3/smbd/mangle_hash2.c
+++ b/source3/smbd/mangle_hash2.c
@@ -626,21 +626,17 @@ static bool is_legal_name(const char *name)
while (*name) {
if (((unsigned int)name[0]) > 128 && (name[1] != 0)) {
/* Possible start of mb character. */
- char mbc[2];
size_t size = 0;
+ (void)next_codepoint(name, &size);
/*
- * Note that if CH_UNIX is utf8 a string may be 3
- * bytes, but this is ok as mb utf8 characters don't
- * contain embedded ascii bytes. We are really checking
- * for mb UNIX asian characters like Japanese (SJIS)
here.
- * JRA.
+ * Note that we're only looking for multibyte
+ * encoding here. No encoding with a length > 1
+ * contains invalid characters.
*/
- if (convert_string(CH_UNIX, CH_UTF16LE, name, 2, mbc,
2, &size)) {
- if (size == 2) {
- /* Was a good mb string. */
- name += 2;
- continue;
- }
+ if (size > 1) {
+ /* Was a mb string. */
+ name += size;
+ continue;
}
}
--
Samba Shared Repository
