diff options
author | Jeremy Allison <jra@samba.org> | 2022-06-08 13:50:51 -0700 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:07 +0200 |
commit | 7720e0acfd7ea6a2339f3e389aa8dcedd6174095 (patch) | |
tree | decb2a66d17bcbc89d010874654b72e12f039587 | |
parent | f6e1750c4fc966c29c2e0663d3c04e87057fa0c3 (diff) | |
download | samba-7720e0acfd7ea6a2339f3e389aa8dcedd6174095.tar.gz |
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test.
NB. We need the two (==0) changes in source3/smbd/reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Remove knownfail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
-rw-r--r-- | selftest/knownfail.d/bad-write | 2 | ||||
-rw-r--r-- | source3/include/smb_macros.h | 2 | ||||
-rw-r--r-- | source3/smbd/reply.c | 4 |
3 files changed, 3 insertions, 5 deletions
diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write deleted file mode 100644 index 5fc16606a13..00000000000 --- a/selftest/knownfail.d/bad-write +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.raw.write.bad-write\(nt4_dc_smb1\) -^samba3.raw.write.bad-write\(ad_dc_smb1\) diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index def122727f0..de1322a503b 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -152,7 +152,7 @@ /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) -#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) +#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) /* Note that chain_size must be available as an extern int to this macro. */ diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index f33326564f7..b5abe588910 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -342,7 +342,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, { ssize_t bufrem = smbreq_bufrem(req, src); - if (bufrem < 0) { + if (bufrem == 0) { *err = NT_STATUS_INVALID_PARAMETER; return 0; } @@ -380,7 +380,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, { ssize_t bufrem = smbreq_bufrem(req, src); - if (bufrem < 0) { + if (bufrem == 0) { return 0; } |