This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --8323328-1713499422-894818612=:5136 Content-Type: TEXT/PLAIN; charset=US-ASCII Hello, While browsing the samba sources a while ago I noticed a problems in a few areas of the reply handling to file requests. I just took a look at the latest source code (samba-1.9.18p5) and found the same problems that I saw in the previous release. A possible buffer overflow exists in many area's of the code. smb.h:typedef char pstring[1024]; reply.c - reply_mv(char *inbuf,char *outbuf,int dum_size, int dum_buffsize):3066 ... 3200: pstring fname; ... * 3206: sprintf(fname,"%s/%s",directory,dname); .. I have seen alot of issues about strcpy() and how strncpy() should be used instead. Very few times have I seen anything about sprintf()/snprintf() which also has the same issues that people have with strcpy() as far as buffer overflows go. An easy fix for this is to simply change line 3206 to use snprintf(). In many other area's of reply.c are the same problems that are in reply_mv (reply_unlink(), and a few others). I would recommend that you kill samba until a patch is released or patch it yourself if you know how rewrite it correctly. Someone feel free to try this against a windows machine, I haven't had a chance to try it. The program I included can be used to test a mounted samba fs. Later. Dragoat_private --8323328-1713499422-894818612=:5136 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="popsmb.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.980510124332.5136Bat_private> Content-Description: LyogQnkgRHJhZ28gKERyYWdvQERyYWdvLmNvbSkgKi8NCi8qIFJ1biB0aGlz IGluIGEgc21iIG1vdW50ZWQgZGlyZWN0b3J5IHRvIHRlc3QgaWYgdGhlIHN5 c3RlbSAqLw0KLyogaXMgdnVsbmVyYWJsZSBpbiByZXBseV9tdiAqLw0KDQoj aW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkaW8uaD4NCg0KaW50 IG1haW4odm9pZCkgew0KICAgIGNoYXIgYnVmWzIwNDhdOw0KICAgIGludCBp PTA7DQogICAgd2hpbGUgKGk8MjA0OCkgYnVmW2krK109J0YnOw0KICAgIGJ1 ZltpXT0wOw0KICAgIHJlbmFtZShidWYsIGJ1Zik7DQogICAgcmV0dXJuIDA7 DQp9DQo= --8323328-1713499422-894818612=:5136--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:53 PDT