Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/sys/netsmb
History
christos 73776b1cca From FreeBSD: 
netsmb: Fix buggy/racy smb_strdupin()

smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size.  Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.

Later assumptions in the code rely upon the string being nul-terminated.

Just use copyinstr() and drop the racy sizing.

PR:		222687
Reported by:	Meng Xu <meng.xu AT gatech.edu>
Security:	possible local DoS
Sponsored by:	Dell EMC Isilon
 		2017-10-03 15:27:10 +00:00
..
Makefile
files.netsmb
iconv.c Make rump_smbfs(8) uses host iconv(3) to convert filenames 2014-11-15 18:49:04 +00:00
iconv.h
mchain.h Adjust smbfs/netsmb for filenames byte length changes that come as 2014-11-15 18:52:44 +00:00
netbios.h Remove leftover IPX-related stuffs 2015-05-25 08:29:01 +00:00
smb.h
smb_conn.c
smb_conn.h
smb_crypt.c
smb_dev.c Reject negative offset/count for smb read/write. 2017-07-28 14:45:59 +00:00
smb_dev.h
smb_iod.c
smb_rq.c Uninitialized vars, found by brainy 2016-08-15 08:17:35 +00:00
smb_rq.h
smb_smb.c
smb_subr.c From FreeBSD: 2017-10-03 15:27:10 +00:00
smb_subr.h Plug another overflow: refuse bogus sa_len from user. 2017-07-28 14:37:27 +00:00
smb_tran.h
smb_trantcp.c pass connect address directly to soconnect() 2015-05-22 22:05:32 +00:00
smb_trantcp.h Remove pollsock(). Since it took only a single socket, it was essentially 2014-04-25 15:52:45 +00:00
smb_usr.c Reject negative ioc_setupcnt. 2017-07-28 14:40:42 +00:00
subr_mchain.c Adjust smbfs/netsmb for filenames byte length changes that come as 2014-11-15 18:52:44 +00:00