From 25f302a47c3119d454531dc992183552b9a42b13 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Jun 2015 15:42:04 +0200 Subject: [PATCH] vfs_fruit: check offset and length for AFP_AfpInfo read requests fruit_pread doesn't check the offset and length parameters and instead always writes 60 bytes, the size of the AFP_AfpInfo blob, to the the passed buffer. If the passed in buffer is smaller, we overwrite something somewhere. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11363 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke --- source3/modules/vfs_fruit.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index a4272f501a2..d05d7868d31 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2621,6 +2621,17 @@ static ssize_t fruit_pread(vfs_handle_struct *handle, } if (ad->ad_type == ADOUBLE_META) { + char afpinfo_buf[AFP_INFO_SIZE]; + size_t to_return; + + if ((offset < 0) || (offset > AFP_INFO_SIZE)) { + len = 0; + rc = 0; + goto exit; + } + + to_return = AFP_INFO_SIZE - offset; + ai = afpinfo_new(talloc_tos()); if (ai == NULL) { rc = -1; @@ -2636,11 +2647,14 @@ static ssize_t fruit_pread(vfs_handle_struct *handle, memcpy(&ai->afpi_FinderInfo[0], ad_entry(ad, ADEID_FINDERI), ADEDLEN_FINDERI); - len = afpinfo_pack(ai, data); + len = afpinfo_pack(ai, afpinfo_buf); if (len != AFP_INFO_SIZE) { rc = -1; goto exit; } + + memcpy(data, afpinfo_buf + offset, to_return); + len = to_return; } else { len = SMB_VFS_NEXT_PREAD( handle, fsp, data, n, -- 2.34.1