git: 3fb51f85c5f3 - main - net/samba416: Patch to prevent abnormal smbd abort
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 11 Feb 2024 04:23:53 UTC
The branch main has been updated by jrm:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3fb51f85c5f397a427eca02936c935cba048a06e
commit 3fb51f85c5f397a427eca02936c935cba048a06e
Author: Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2023-12-24 14:41:30 +0000
Commit: Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2024-02-11 04:20:00 +0000
net/samba416: Patch to prevent abnormal smbd abort
Update a call to memcpy() because readdir() only guarantees memory up to
result+result->d_reclen is readable. Under certain conditions,
result+sizeof(struct dirent) landed in unmapped memory.
Most of the legwork to pinpoint the problem, as well as a solution
similar to the one applied here, was submitted by uratan@miomio.jp.
Martin Simmons <martin@lispworks.com> contributed to understanding the
problem and wrote a useful test case.
PR: 275597
Approved by: maintainer timeout
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43171
---
net/samba416/Makefile | 2 +-
net/samba416/files/patch-source3_modules_vfs__cap.c | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/net/samba416/Makefile b/net/samba416/Makefile
index 79b06f99eeb1..65536326cbdb 100644
--- a/net/samba416/Makefile
+++ b/net/samba416/Makefile
@@ -1,6 +1,6 @@
PORTNAME= ${SAMBA4_BASENAME}416
PORTVERSION= ${SAMBA4_VERSION}
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES?= net
MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc
DISTNAME= ${SAMBA4_DISTNAME}
diff --git a/net/samba416/files/patch-source3_modules_vfs__cap.c b/net/samba416/files/patch-source3_modules_vfs__cap.c
new file mode 100644
index 000000000000..8e40492bf70d
--- /dev/null
+++ b/net/samba416/files/patch-source3_modules_vfs__cap.c
@@ -0,0 +1,14 @@
+--- source3/modules/vfs_cap.c.orig 2022-01-24 10:26:59 UTC
++++ source3/modules/vfs_cap.c
+@@ -112,7 +112,10 @@ static struct dirent *cap_readdir(vfs_handle_struct *h
+ return NULL;
+ }
+ talloc_set_name_const(newdirent, "struct dirent");
+- memcpy(newdirent, result, sizeof(struct dirent));
++ /* See FreeBSD bug #275597 for an explanation of this patch. */
++ /* memcpy(newdirent, result, sizeof(struct dirent)); */
++ memcpy(newdirent, result, result->d_reclen);
++ /*******************************************************************/
+ memcpy(&newdirent->d_name, newname, newnamelen);
+ return newdirent;
+ }