samba - Jul 2004 - String overflow in safe_strcpy .

Just Installed 3.0.5rc1 and the problem persists unfortunately,

heres a sample of my log :

wins[15212]: [2004/07/12 12:31:03, 0] lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(9 - 8) in safe_strcpy [TAENO~EI.PDF]
Jul 12 12:31:03 mandrake1 nss_wins[15212]: [2004/07/12 12:31:03, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(16 - 15) in safe_strcpy [taeno_checklist.pdf]
Jul 12 12:31:03 mandrake1 nss_wins[15212]: [2004/07/12 12:31:03, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(9 - 8) in safe_strcpy [TAENO~M9.PDF]
Jul 12 12:31:03 mandrake1 nss_wins[15212]: [2004/07/12 12:31:03, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(16 - 15) in safe_strcpy [taeno_effective.pdf]
Jul 12 12:31:03 mandrake1 nss_wins[15212]: [2004/07/12 12:31:03, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(9 - 8) in safe_strcpy [TAENO~K1.PDF]
Jul 12 12:31:03 mandrake1 nss_wins[15212]: [2004/07/12 12:31:03, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:03 mandrake1 nss_wins[15212]:   ERROR: string overflow by 1 
(16 - 15) in safe_strcpy [taeno_structure.pdf]
Jul 12 12:31:09 mandrake1 nss_wins[15215]: [2004/07/12 12:31:09, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:09 mandrake1 nss_wins[15215]:   ERROR: string overflow by 1 
(9 - 8) in safe_strcpy [INITC~FJ.BAK]
Jul 12 12:31:09 mandrake1 nss_wins[15215]: [2004/07/12 12:31:09, 0] 
lib/util_str.c:safe_strcpy_fn(600)
Jul 12 12:31:09 mandrake1 nss_wins[15215]:   ERROR: string overflow by 1 
(7 - 6) in safe_strcpy [INIT.C.bak]

i also get these errors ocasionaly

wins[15421]: [2004/07/12 12:37:19, 0] 
smbd/service.c:make_connection_snum(535)
Jul 12 12:37:19 mandrake1 nss_wins[15421]:   Can't become connected user!


my .conf remains the same as before.

If you need anything else just let me know.

see the thread ( String overflow in safe_strcpy ) for history

Cheers,
Carl Matthews


Jeremy Allison wrote:

 > On Tue, Jun 29, 2004 at 09:13:05AM +0100, Carl Matthews wrote:
 >
 >> Also i've just noticed the errors never occur for directorys but 
only for files longer than the 8.3. Which again suggests an error in the 
hash mangling method.
 >
 >
 >
 > Here's the fix. Incorrect use of safe_strcpy (memcpy should be used 
instead).
 >
 > Jeremy.
 >
 >
 > ------------------------------------------------------------------------
 >
 > Index: smbd/mangle_hash.c
 > ================================================================== >
--- smbd/mangle_hash.c    (revision 1298)
 > +++ smbd/mangle_hash.c    (working copy)
 > @@ -546,8 +546,10 @@
 >      /* Fill the new cache entry, and add it to the cache. */
 >      s1 = (char *)(new_entry + 1);
 >      s2 = (char *)&(s1[mangled_len + 1]);
 > -    safe_strcpy( s1, mangled_name, mangled_len );
 > -    safe_strcpy( s2, raw_name,     raw_len );
 > +    memcpy( s1, mangled_name, mangled_len );
 > +    s1[mangled_len] = '\0';
 > +    memcpy( s2, raw_name, raw_len );
 > +    s2[raw_len] = '\0';
 >      ubi_cachePut( mangled_cache, i, new_entry, s1 );
 >  }
 >
 >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Hi,

I've built Samva 3.0.4 on Solaris 8 (after removing '/usr/ucb' from
the path); 'nmbd' seems to work, but 'smbd' fails with:

[2004/07/09 17:42:01, 2] lib/dmallocmsg.c:(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/07/09 17:42:02, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/sessionid.tdb): tdb_mmap failed for size 696
(Resource temporarily unavailable)
[2004/07/09 17:42:02, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/connections.tdb): tdb_mmap failed for size 696
(Resource temporarily unavailable)
[2004/07/09 17:42:02, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/brlock.tdb): tdb_mmap failed for size 696
(Resource temporarily unavailable)
[2004/07/09 17:42:02, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/locking.tdb): tdb_mmap failed for size 696
(Resource temporarily unavailable)
  ...
[2004/07/09 17:42:02, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/printing/printers.tdb): tdb_mmap failed for
size 49152 (Resource temporarily unavailable)
[2004/07/09 17:42:13, 2] smbd/tdbutil.c:(42)
  tdb(/usr/local/samba/var/locks/printing/printers.tdb): tdb_mmap failed for
size 57344 (Resource temporarily unavailable)
[2004/07/09 17:42:13, 0] lib/util.c:(1398)
  PANIC: i/o error on tdb.
  
Files in question are NFS mounted (with 'root' access) if that matters,
as I am trying this out on a test machine, not our real SMB system
which is still running Solaris NetLink (on a different domain name).

Any help appreciated!

Mike.
--
Mike Peterson -- Network Security Specialist -- U/Toronto Network Operations
E-mail: mikep@noc.utoronto.ca               WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                          Fax: 416-971-1362

On Wed, Jul 14, 2004 at 11:03:26PM +0100, Carl wrote:
> Just Installed 3.0.5rc1 and the problem persists unfortunately,
Ok, can you give me the smb.conf file and the directory and
filenames you're using. I'll see if I can reproduce with the
latest SVN code.

Thanks,

	Jeremy.

On Tue, Jul 20, 2004 at 09:51:25PM +0200, Thomas Bork
wrote:
> Herb Lewis schrieb:
> 
> >you can change "mangle prefix" to specify the number of
characters you
> >want to stay the same. Just remember the more letters that remain the
> >same the more likely you will get a collision and slow things down.
> 
> http://de.samba.org/samba/docs/man/smb.conf.5.html
> 
> mangling method (G)
> controls the algorithm used for the generating the mangled names. Can 
> take two different values, "hash" and "hash2".
"hash" is the default and
>                                                ^^^^^^^^^^^^^^^^^^^^
> is the algorithm that has been used in Samba for many years.
"hash2" is
> a newer and considered a better algorithm (generates less collisions) in 
> the names. However, many Win32 applications store the mangled names and 
> so changing to the new algorithm must not be done lightly as these 
> applications may break unless reinstalled.
> 
> Default: mangling method = hash2
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Example: mangling method = hash
> 
> 
> But:
> "hash" is not the default (this was in 2.2.x)
Fixed in the SVN docs - thanks a *lot* !

Jeremy.

Hi Jeremy,

Ive been checking the svn for mangling fixes but didnt see any should i 
just add it to bugzilla so it theres a record of it?

Cheers
Carl.

> On Tue, Jul 20, 2004 at 09:51:25PM +0200, Thomas Bork wrote:
> 
>>Herb Lewis schrieb:
>>
>>
>>>you can change "mangle prefix" to specify the number of
characters you
>>>want to stay the same. Just remember the more letters that remain
the
>>>same the more likely you will get a collision and slow things down.
>>
>>http://de.samba.org/samba/docs/man/smb.conf.5.html
>>
>>mangling method (G)
>>controls the algorithm used for the generating the mangled names. Can 
>>take two different values, "hash" and "hash2".
"hash" is the default and
>>                                               ^^^^^^^^^^^^^^^^^^^^
>>is the algorithm that has been used in Samba for many years.
"hash2" is
>>a newer and considered a better algorithm (generates less collisions) in
>>the names. However, many Win32 applications store the mangled names and 
>>so changing to the new algorithm must not be done lightly as these 
>>applications may break unless reinstalled.
>>
>>Default: mangling method = hash2
>>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>Example: mangling method = hash
>>
>>
>>But:
>>"hash" is not the default (this was in 2.2.x)
> 
> 
> Fixed in the SVN docs - thanks a *lot* !
> 
> Jeremy.