From 4dc434c804fdce0759cd89eb0de106f8634920c8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 7 Feb 2003 04:01:36 +0000 Subject: make sure we don't run over the end of 'name' in unix_convert() Thanks to Andrew Bartlett for spotting this. (This used to be commit b4c210ccb05e71a8ddf1c25d028452dd5cd93c72) --- source3/lib/util_str.c | 8 ++++++-- source3/smbd/filename.c | 22 +++++++++++++++------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index 3c34df6f33..17c7cc29fe 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -479,11 +479,15 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength) src_len = strlen(src); dest_len = strlen(dest); - + if (src_len + dest_len > maxlength) { DEBUG(0,("ERROR: string overflow by %d in safe_strcat [%.50s]\n", (int)(src_len + dest_len - maxlength), src)); - src_len = maxlength - dest_len; + if (maxlength > dest_len) { + memcpy(&dest[dest_len], src, maxlength - dest_len); + } + dest[maxlength] = 0; + return NULL; } memcpy(&dest[dest_len], src, src_len); diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index bcfd366741..7d3527402e 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -31,7 +31,8 @@ extern BOOL case_preserve; extern BOOL short_case_preserve; extern BOOL use_mangled_map; -static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache); +static BOOL scan_directory(const char *path, char *name,size_t maxlength, + connection_struct *conn,BOOL docache); /**************************************************************************** Check if two filenames are equal. @@ -266,7 +267,11 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen * Try to find this part of the path in the directory. */ - if (ms_has_wild(start) || !scan_directory(dirpath, start, conn, end?True:False)) { + if (ms_has_wild(start) || + !scan_directory(dirpath, start, + sizeof(pstring) - 1 - (start - name), + conn, + end?True:False)) { if (end) { /* * An intermediate part of the name can't be found. @@ -315,8 +320,10 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen */ if (end) { end = start + strlen(start); - pstrcat(start,"/"); - pstrcat(start,rest); + if (!safe_strcat(start, "/", sizeof(pstring) - 1 - (start - name)) || + !safe_strcat(start, rest, sizeof(pstring) - 1 - (start - name))) { + return False; + } *end = '\0'; } else { /* @@ -428,7 +435,8 @@ BOOL check_name(pstring name,connection_struct *conn) If the name looks like a mangled name then try via the mangling functions ****************************************************************************/ -static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache) +static BOOL scan_directory(const char *path, char *name, size_t maxlength, + connection_struct *conn,BOOL docache) { void *cur_dir; char *dname; @@ -441,7 +449,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con path = "."; if (docache && (dname = DirCacheCheck(path,name,SNUM(conn)))) { - pstrcpy(name, dname); + safe_strcpy(name, dname, maxlength); return(True); } @@ -481,7 +489,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con /* we've found the file, change it's name and return */ if (docache) DirCacheAdd(path,name,dname,SNUM(conn)); - pstrcpy(name, dname); + safe_strcpy(name, dname, maxlength); CloseDir(cur_dir); return(True); } -- cgit