s3: smbd - fix processing of packets with invalid DOS charset conversions.

CVE-2014-3493

Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler

https://bugzilla.samba.org/show_bug.cgi?id=10654

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 25 03:47:55 CEST 2014 on sn-devel-104

1 files changed, 17 insertions, 9 deletions

diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
index 71d2c3aba5..2189812e2a 100644
--- a/source3/lib/charcnv.c
+++ b/source3/lib/charcnv.c
@@ -46,9 +46,9 @@ void gfree_charcnv(void)
  **/
 size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
 {
-	size_t src_len = strlen(src);
+	size_t src_len = 0;
 	char *tmpbuf = NULL;
-	size_t size;
+	size_t size = 0;
 	bool ret;
 
 	/* No longer allow a length of -1. */
@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
 			smb_panic("malloc fail");
 		}
 		if (!strupper_m(tmpbuf)) {
+			if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
+					dest &&
+					dest_len > 0) {
+				*(char *)dest = 0;
+			}
 			SAFE_FREE(tmpbuf);
-			return (size_t)-1;
+			return 0;
 		}
 		src = tmpbuf;
 	}
 
+	src_len = strlen(src);
 	if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
 		src_len++;
 	}
 
 	ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
-	if (ret == false &&
-			(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
-			&& dest_len > 0) {
-		((char *)dest)[0] = '\0';
-	}
 	SAFE_FREE(tmpbuf);
-	return ret ? size : (size_t)-1;
+	if (ret == false) {
+		if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
+				dest_len > 0) {
+			((char *)dest)[0] = '\0';
+		}
+		return 0;
+	}
+	return size;
 }
 
 /********************************************************************