From: Andreas Schneider Date: Mon, 24 Jun 2024 11:38:34 +0000 (+0200) Subject: s3:rpc_client: Check for array size instead of UINT16_MAX X-Git-Tag: tdb-1.4.11~275 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dd896862d0a430daa2f0c38325b6ef56dabe174e;p=thirdparty%2Fsamba.git s3:rpc_client: Check for array size instead of UINT16_MAX mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The boundary is 1025 and not UINT16_MAX. "Error: OVERRUN (CWE-119): samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch. samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch. samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534). 131| mdscli_ctx->mdscmd_open.share_path_len = share_path_len; 132| 133|-> if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') { 134| mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0'; 135| mdscli_ctx->mdscmd_open.share_path_len--;" Signed-off-by: Andreas Schneider Reviewed-by: Noel Power --- diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c index 93e032faa98..8678b4bbcb0 100644 --- a/source3/rpc_client/cli_mdssvc.c +++ b/source3/rpc_client/cli_mdssvc.c @@ -124,7 +124,9 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) } share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path); - if (share_path_len < 1 || share_path_len > UINT16_MAX) { + if (share_path_len < 1 || + share_path_len >= sizeof(mdscli_ctx->mdscmd_open.share_path)) + { tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); return; }