libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
authorJeremy Allison <jra@samba.org>
Fri, 15 Jun 2018 22:07:17 +0000 (15:07 -0700)
committerKarolin Seeger <kseeger@samba.org>
Tue, 14 Aug 2018 11:57:16 +0000 (13:57 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
source3/libsmb/libsmb_path.c

index 01b0a61e483f2f403175c7e99317543a5233d3d4..ed70ab37550c3abf36e00df5cb354271451f1043 100644 (file)
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
                 }
         }
 
-        *dest++ = '\0';
-        max_dest_len--;
+       if (max_dest_len == 0) {
+               /* Ensure we return -1 if no null termination. */
+               return -1;
+       }
+
+       *dest++ = '\0';
+       max_dest_len--;
 
         return max_dest_len;
 }