1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From d0801c5cdb847339b881447087216628a7a4ebe4 Mon Sep 17 00:00:00 2001
From: ZjW1nd <zj_w1nd@qq.com>
Date: Mon, 18 Aug 2025 10:53:55 +0800
Subject: [PATCH 3/4] [Security]: fix off-by-one OOB write in compat strdup
Origin: upstream, https://github.com/sahlberg/libsmb2/commit/d0801c5cdb847339b881447087216628a7a4ebe4
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116446
Root cause: memcpy used len+1 while len already included the NUL terminator.
Trigger: calling compat strdup with any input string; over-copies by 1 byte.
Impact: 1-byte heap overflow -> potential heap corruption/crash (client-side).
Fix: copy exactly len bytes (which includes the NUL) after allocating len bytes
Backported by: Matheus Polkorny <mpolkorny@gmail.com>
Changes:
- Update hunks' offsets.
---
lib/compat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/compat.c b/lib/compat.c
index b99606b..651d031 100644
--- a/lib/compat.c
+++ b/lib/compat.c
@@ -580,7 +580,8 @@ char *strdup(const char *s)
#endif /* !_IOP */
return NULL;
}
- memcpy(str, s, len + 1);
+ /* len already includes the NULL terminator */
+ memcpy(str, s, len);
return str;
}
#endif /* NEED_STRDUP */
--
2.51.0
|
