lib/replace - add extra check to bsd_attr_list

The FreeBSD extattr API may return success and truncated
namelist. We need to check for this in bsd_attr_list to
ensure that we don't accidentally read off the end of the
buffer. In the case of a truncated value, the pascal
strings for attr names will reflect the lengths as if
the value were not truncated. For example:
`58DosStrea`

In case of short read we now set error to ERANGE and
fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan  2 14:27:23 UTC 2023 on sn-devel-184

(cherry picked from commit 01cdc5e00be78a51f0766634cc7fe50de2088203)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jan 23 10:59:28 UTC 2023 on sn-devel-184

1 files changed, 12 insertions, 0 deletions

diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 01215f1a9f3..8b93e675403 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -266,6 +266,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size
 
 		for(i = 0; i < list_size; i += len + 1) {
 			len = buf[i];
+
+			/*
+			 * If for some reason we receive a truncated
+			 * return from call to list xattrs the pascal
+			 * string lengths will not be changed and
+			 * therefore we must check that we're not
+			 * reading garbage data or off end of array
+			 */
+			if (len + i >= list_size) {
+				errno = ERANGE;
+				return -1;
+			}
 			strncpy(list, extattr[t].name, extattr[t].len + 1);
 			list += extattr[t].len;
 			strncpy(list, buf + i + 1, len);