From 588b74189958630b39cb393c47495d39dead83a1 Mon Sep 17 00:00:00 2001

From: Andrew Bartlett <abartlet@samba.org>

Date: Fri, 29 Nov 2019 20:58:47 +1300

Subject: [PATCH] CVE-2019-14907 lib/util: Do not print the failed to convert

 string into the logs

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The string may be in another charset, or may be sensitive and

certainly may not be terminated.  It is not safe to just print.

Found by Robert Święcki using a fuzzer he wrote for smbd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

---

 lib/util/charset/convert_string.c | 38 ++++++++++++++++---------------

 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c

index d274e305a0c..b725b53cb5a 100644

--- a/lib/util/charset/convert_string.c

+++ b/lib/util/charset/convert_string.c

@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,

 		switch(errno) {

 			case EINVAL:

 				reason="Incomplete multibyte sequence";

-				DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",

-					 reason, (const char *)src));

+				DBG_NOTICE("Conversion error: %s\n",

+					 reason);

 				break;

 			case E2BIG:

 			{

 				reason="No more room";

 				if (from == CH_UNIX) {

-					DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",

-						 charset_name(ic, from), charset_name(ic, to),

-						 (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));

+					DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",

+						   charset_name(ic, from), charset_name(ic, to),

+						   (unsigned int)srclen, (unsigned int)destlen, reason);

 				} else {

-					DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",

-						 charset_name(ic, from), charset_name(ic, to),

-						 (unsigned int)srclen, (unsigned int)destlen, reason));

+					DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",

+						   charset_name(ic, from), charset_name(ic, to),

+						   (unsigned int)srclen, (unsigned int)destlen, reason);

 				}

 				break;

 			}

 			case EILSEQ:

 				reason="Illegal multibyte sequence";

-				DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",

-					 reason, (const char *)src));

+				DBG_NOTICE("convert_string_internal: Conversion error: %s\n",

+					   reason);

 				break;

 			default:

-				DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",

-					 reason, (const char *)src));

+				DBG_ERR("convert_string_internal: Conversion error: %s\n",

+					reason);

 				break;

 		}

 		/* smb_panic(reason); */

@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,

 		switch(errno) {

 			case EINVAL:

 				reason="Incomplete multibyte sequence";

-				DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));

+				DBG_NOTICE("Conversion error: %s\n",

+					   reason);

 				break;

 			case E2BIG:

 				reason = "output buffer is too small";

-				DBG_NOTICE("convert_string_talloc: "

-					   "Conversion error: %s(%s)\n",

-					   reason, inbuf);

+				DBG_NOTICE("Conversion error: %s\n",

+					   reason);

 				break;

 			case EILSEQ:

 				reason="Illegal multibyte sequence";

-				DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));

+				DBG_NOTICE("Conversion error: %s\n",

+					   reason);

 				break;

 			default:

-				DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));

+				DBG_ERR("Conversion error: %s\n",

+					reason);

 				break;

 		}

 		/* smb_panic(reason); */

-- 

2.17.1