The branch, master has been updated via 8f41142 smbd: Properly protect against invalid lock data via 776db7d Fix is_legal_name() to not emit character conversion error messages. from 40db563 selftest: change to src dir for panic backtrace
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8f411425f6649422cb5ab94ec6ca392a02ec5ee5 Author: Volker Lendecke <v...@samba.org> Date: Wed Sep 11 12:04:58 2013 +0000 smbd: Properly protect against invalid lock data If someone messes with brlock.tdb and inserts an invalid record length, this will lead to memcpy overwriting a few bytes behind malloc'ed data. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104 commit 776db7d38597a29536e4127837ffa3b4f4ce35ab Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 10 10:46:18 2013 -0700 Fix is_legal_name() to not emit character conversion error messages. Using next_codepoint() does the same check, but without the conversion message. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/locking/brlock.c | 6 ++++++ source3/smbd/mangle_hash2.c | 20 ++++++++------------ 2 files changed, 14 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c index ac54767..adbfc5f 100644 --- a/source3/locking/brlock.c +++ b/source3/locking/brlock.c @@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx, data = dbwrap_record_get_value(br_lck->record); } + if ((data.dsize % sizeof(struct lock_struct)) != 0) { + DEBUG(3, ("Got invalid brlock data\n")); + TALLOC_FREE(br_lck); + return NULL; + } + br_lck->read_only = do_read_only; br_lck->lock_data = NULL; diff --git a/source3/smbd/mangle_hash2.c b/source3/smbd/mangle_hash2.c index 655c727..c2910f8 100644 --- a/source3/smbd/mangle_hash2.c +++ b/source3/smbd/mangle_hash2.c @@ -626,21 +626,17 @@ static bool is_legal_name(const char *name) while (*name) { if (((unsigned int)name[0]) > 128 && (name[1] != 0)) { /* Possible start of mb character. */ - char mbc[2]; size_t size = 0; + (void)next_codepoint(name, &size); /* - * Note that if CH_UNIX is utf8 a string may be 3 - * bytes, but this is ok as mb utf8 characters don't - * contain embedded ascii bytes. We are really checking - * for mb UNIX asian characters like Japanese (SJIS) here. - * JRA. + * Note that we're only looking for multibyte + * encoding here. No encoding with a length > 1 + * contains invalid characters. */ - if (convert_string(CH_UNIX, CH_UTF16LE, name, 2, mbc, 2, &size)) { - if (size == 2) { - /* Was a good mb string. */ - name += 2; - continue; - } + if (size > 1) { + /* Was a mb string. */ + name += size; + continue; } } -- Samba Shared Repository