s3:rpc_client: Check for array size instead of UINT16_MAX

mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.

"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534).
  131|   	mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
  132|
  133|-> 	if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
  134|   		mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
  135|   		mdscli_ctx->mdscmd_open.share_path_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
index 93e032faa987bc3376366aa1a8c82bb3cf916c51..8678b4bbcb0e664ae0f9e96a92d4d6aa0e99800e 100644 (file)
--- a/source3/rpc_client/cli_mdssvc.c
+++ b/source3/rpc_client/cli_mdssvc.c
@@ -124,7 +124,9 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
        }
 
        share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
-       if (share_path_len < 1 || share_path_len > UINT16_MAX) {
+       if (share_path_len < 1 ||
+           share_path_len >= sizeof(mdscli_ctx->mdscmd_open.share_path))
+       {
                tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
                return;
        }