summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorSteven Danneman <steven.danneman@isilon.com>2010-01-30 13:29:23 -0800
committerSteven Danneman <steven.danneman@isilon.com>2010-01-30 13:38:31 -0800
commitf42971c520360e69c4cdd64bebb02a5f5ba49b94 (patch)
treeeb8900699a2eeacb58553a81b87b7b93d7c7861d /source3/smbd
parent772d808ac862862330dd792ba8e83ba2b3c785b3 (diff)
downloadsamba-f42971c520360e69c4cdd64bebb02a5f5ba49b94.tar.gz
samba-f42971c520360e69c4cdd64bebb02a5f5ba49b94.tar.bz2
samba-f42971c520360e69c4cdd64bebb02a5f5ba49b94.zip
s3/smbd: Fix string buffer overflow causing heap corruption
The destname malloc size was not taking into account the 1 extra byte needed if a string without a leading '/' was passed in and that slash was added. This would cause the '\0' byte to be written past the end of the malloced destname string and corrupt whatever heap memory was there. This problem would be hit if a share name was given in smb.conf without a leading '/' and if it was the exact size of the allocated STRDUP memory which in some implementations of malloc is a power of 2.
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/service.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 48593446e2..e8775ffd7b 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -60,7 +60,8 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
return false;
}
- destname = SMB_STRDUP(connectpath);
+ /* Allocate for strlen + '\0' + possible leading '/' */
+ destname = SMB_MALLOC(strlen(connectpath) + 2);
if (!destname) {
return false;
}