vfs_fruit: check offset and length for AFP_AfpInfo read requests

fruit_pread doesn't check the offset and length parameters and instead
always writes 60 bytes, the size of the AFP_AfpInfo blob, to the the
passed buffer. If the passed in buffer is smaller, we overwrite
something somewhere.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11363

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index a4272f501a2d490ac67ccf671214a85bb737ce07..d05d7868d31257819fcd690f2f54a89f4154db8c 100644 (file)
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2621,6 +2621,17 @@ static ssize_t fruit_pread(vfs_handle_struct *handle,
        }
 
        if (ad->ad_type == ADOUBLE_META) {
+               char afpinfo_buf[AFP_INFO_SIZE];
+               size_t to_return;
+
+               if ((offset < 0) || (offset > AFP_INFO_SIZE)) {
+                       len = 0;
+                       rc = 0;
+                       goto exit;
+               }
+
+               to_return = AFP_INFO_SIZE - offset;
+
                ai = afpinfo_new(talloc_tos());
                if (ai == NULL) {
                        rc = -1;
@@ -2636,11 +2647,14 @@ static ssize_t fruit_pread(vfs_handle_struct *handle,
                memcpy(&ai->afpi_FinderInfo[0],
                       ad_entry(ad, ADEID_FINDERI),
                       ADEDLEN_FINDERI);
-               len = afpinfo_pack(ai, data);
+               len = afpinfo_pack(ai, afpinfo_buf);
                if (len != AFP_INFO_SIZE) {
                        rc = -1;
                        goto exit;
                }
+
+               memcpy(data, afpinfo_buf + offset, to_return);
+               len = to_return;
        } else {
                len = SMB_VFS_NEXT_PREAD(
                        handle, fsp, data, n,