The code snippet would be too large for the article I'm afraid.
Essentially the problem was reading into a fixed-size buffer which was correctly length checked and sanitized so no possibility of overrun. This buffer was then (via a very covoluted code path) being passed to a function that was outputing a network packet with a shorter fixed buffer size. The incoming data was assumed to be safe - of course it wasn't (we need a C "taint" flag really).
We don't allow strcpy in Samba, it's a banned function.
Jeremy.
IBM Sponsored Resources
Resources from our Sponsor
- Oracle Exadata vs IBM: Netezza Compared
- Forrester TEI Report
- CIA Whitepaper
- Harnessing the Power of Advanced Analytics
- Tapping into Unleashed Business Potential with Advanced Analytics
- Unlock Analytic Performance with Revolution R for Enterprise and IBM: Netezza Data Warehouse Appliance
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
