From b686b9152865e6ae864d417931fc4bde4184e5b4 Mon Sep 17 00:00:00 2001
From: Steven Danneman <steven.danneman@isilon.com>
Date: Sat, 30 Jan 2010 13:29:23 -0800
Subject: [PATCH] s3/smbd: Fix string buffer overflow causing heap corruption

The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
was added.

This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.

This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
---
 source3/smbd/service.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 48593446e2f..e8775ffd7b5 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -60,7 +60,8 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
 		return false;
 	}
 
-	destname = SMB_STRDUP(connectpath);
+	/* Allocate for strlen + '\0' + possible leading '/' */
+	destname = SMB_MALLOC(strlen(connectpath) + 2);
 	if (!destname) {
 		return false;
 	}
-- 
2.11.4.GIT