From 3916710b9414d679774399e6d0cff61e4b67a2e3 Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Sat, 30 Jan 2010 13:29:23 -0800 Subject: [PATCH] s3/smbd: Fix string buffer overflow causing heap corruption The destname malloc size was not taking into account the 1 extra byte needed if a string without a leading '/' was passed in and that slash was added. This would cause the '\0' byte to be written past the end of the malloced destname string and corrupt whatever heap memory was there. This problem would be hit if a share name was given in smb.conf without a leading '/' and if it was the exact size of the allocated STRDUP memory which in some implementations of malloc is a power of 2. (cherry picked from commit f42971c520360e69c4cdd64bebb02a5f5ba49b94) Fix bug #7096. (cherry picked from commit db5ccb70b6ac51ea263889cc9cdd523673ae8ecd) --- source3/smbd/service.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 902a7c40325..1bbe0c863f3 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -60,7 +60,8 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath) return false; } - destname = SMB_STRDUP(connectpath); + /* Allocate for strlen + '\0' + possible leading '/' */ + destname = SMB_MALLOC(strlen(connectpath) + 2); if (!destname) { return false; } -- 2.11.4.GIT