51bcc337dd
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon |
||
---|---|---|
.. | ||
netbios.h | ||
smb_conn.c | ||
smb_conn.h | ||
smb_crypt.c | ||
smb_dev.c | ||
smb_dev.h | ||
smb_iod.c | ||
smb_rq.c | ||
smb_rq.h | ||
smb_smb.c | ||
smb_subr.c | ||
smb_subr.h | ||
smb_tran.h | ||
smb_trantcp.c | ||
smb_trantcp.h | ||
smb_usr.c | ||
smb.h |