summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2003-02-07 04:01:36 +0000
committerAndrew Tridgell <tridge@samba.org>2003-02-07 04:01:36 +0000
commit4dc434c804fdce0759cd89eb0de106f8634920c8 (patch)
tree9fc0692cc923e35f4196247bca2be2d5462dd050
parent0326e054c30223083fcb4ba7e7f0e5885ecc895f (diff)
downloadsamba-4dc434c804fdce0759cd89eb0de106f8634920c8.tar.gz
samba-4dc434c804fdce0759cd89eb0de106f8634920c8.tar.bz2
samba-4dc434c804fdce0759cd89eb0de106f8634920c8.zip
make sure we don't run over the end of 'name' in unix_convert()
Thanks to Andrew Bartlett for spotting this. (This used to be commit b4c210ccb05e71a8ddf1c25d028452dd5cd93c72)
-rw-r--r--source3/lib/util_str.c8
-rw-r--r--source3/smbd/filename.c22
2 files changed, 21 insertions, 9 deletions
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 3c34df6f33..17c7cc29fe 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -479,11 +479,15 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength)
src_len = strlen(src);
dest_len = strlen(dest);
-
+
if (src_len + dest_len > maxlength) {
DEBUG(0,("ERROR: string overflow by %d in safe_strcat [%.50s]\n",
(int)(src_len + dest_len - maxlength), src));
- src_len = maxlength - dest_len;
+ if (maxlength > dest_len) {
+ memcpy(&dest[dest_len], src, maxlength - dest_len);
+ }
+ dest[maxlength] = 0;
+ return NULL;
}
memcpy(&dest[dest_len], src, src_len);
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index bcfd366741..7d3527402e 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -31,7 +31,8 @@ extern BOOL case_preserve;
extern BOOL short_case_preserve;
extern BOOL use_mangled_map;
-static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache);
+static BOOL scan_directory(const char *path, char *name,size_t maxlength,
+ connection_struct *conn,BOOL docache);
/****************************************************************************
Check if two filenames are equal.
@@ -266,7 +267,11 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen
* Try to find this part of the path in the directory.
*/
- if (ms_has_wild(start) || !scan_directory(dirpath, start, conn, end?True:False)) {
+ if (ms_has_wild(start) ||
+ !scan_directory(dirpath, start,
+ sizeof(pstring) - 1 - (start - name),
+ conn,
+ end?True:False)) {
if (end) {
/*
* An intermediate part of the name can't be found.
@@ -315,8 +320,10 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen
*/
if (end) {
end = start + strlen(start);
- pstrcat(start,"/");
- pstrcat(start,rest);
+ if (!safe_strcat(start, "/", sizeof(pstring) - 1 - (start - name)) ||
+ !safe_strcat(start, rest, sizeof(pstring) - 1 - (start - name))) {
+ return False;
+ }
*end = '\0';
} else {
/*
@@ -428,7 +435,8 @@ BOOL check_name(pstring name,connection_struct *conn)
If the name looks like a mangled name then try via the mangling functions
****************************************************************************/
-static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache)
+static BOOL scan_directory(const char *path, char *name, size_t maxlength,
+ connection_struct *conn,BOOL docache)
{
void *cur_dir;
char *dname;
@@ -441,7 +449,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con
path = ".";
if (docache && (dname = DirCacheCheck(path,name,SNUM(conn)))) {
- pstrcpy(name, dname);
+ safe_strcpy(name, dname, maxlength);
return(True);
}
@@ -481,7 +489,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con
/* we've found the file, change it's name and return */
if (docache)
DirCacheAdd(path,name,dname,SNUM(conn));
- pstrcpy(name, dname);
+ safe_strcpy(name, dname, maxlength);
CloseDir(cur_dir);
return(True);
}