From d31b7e056d790115bb3a3a838a8435dad3be8118 Mon Sep 17 00:00:00 2001

From: Jeremy Allison <jra@samba.org>

Date: Sat, 7 Jun 2014 21:51:44 -0700

Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset

 conversions.

Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler

https://bugzilla.samba.org/show_bug.cgi?id=10654

Signed-off-by: Jeremy Allison <jra@samba.org>

---

 source3/lib/charcnv.c   | 26 +++++++++++++++++---------

 source3/libsmb/clirap.c |  4 ++--

 source3/smbd/lanman.c   |  4 ++--

 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c

index 71d2c3a..2189812 100644

--- a/source3/lib/charcnv.c

+++ b/source3/lib/charcnv.c

@@ -46,9 +46,9 @@ void gfree_charcnv(void)

  **/

 size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)

 {

-	size_t src_len = strlen(src);

+	size_t src_len = 0;

 	char *tmpbuf = NULL;

-	size_t size;

+	size_t size = 0;

 	bool ret;

 	/* No longer allow a length of -1. */

@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)

 			smb_panic("malloc fail");

 		}

 		if (!strupper_m(tmpbuf)) {

+			if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&

+					dest &&

+					dest_len > 0) {

+				*(char *)dest = 0;

+			}

 			SAFE_FREE(tmpbuf);

-			return (size_t)-1;

+			return 0;

 		}

 		src = tmpbuf;

 	}

+	src_len = strlen(src);

 	if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {

 		src_len++;

 	}

 	ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);

-	if (ret == false &&

-			(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))

-			&& dest_len > 0) {

-		((char *)dest)[0] = '\0';

-	}

 	SAFE_FREE(tmpbuf);

-	return ret ? size : (size_t)-1;

+	if (ret == false) {

+		if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&

+				dest_len > 0) {

+			((char *)dest)[0] = '\0';

+		}

+		return 0;

+	}

+	return size;

 }

 /********************************************************************

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c

index 036919f..64e3767 100644

--- a/source3/libsmb/clirap.c

+++ b/source3/libsmb/clirap.c

@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,

 				sizeof(param) - PTR_DIFF(p,param) - 1,

 				STR_TERMINATE|STR_UPPER);

-		if (len == (size_t)-1) {

+		if (len == 0) {

 			SAFE_FREE(last_entry);

 			return false;

 		}

@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,

 					sizeof(param) - PTR_DIFF(p,param) - 1,

 					STR_TERMINATE);

-			if (len == (size_t)-1) {

+			if (len == 0) {

 				SAFE_FREE(last_entry);

 				return false;

 			}

diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c

index 63c2ad7..66ab8a2 100644

--- a/source3/smbd/lanman.c

+++ b/source3/smbd/lanman.c

@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,

 		return 0;

 	}

 	l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);

-	if (l == -1) {

+	if (l == 0) {

 		return 0;

 	}

 	(*dst) += l;

@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)

 		return 0;

 	}

 	l = push_ascii(*dst,src,*n, STR_TERMINATE);

-	if (l == -1) {

+	if (l == 0) {

 		return 0;

 	}

 	(*dst) += l;

-- 

2.0.0.526.g5318336