svn commit: samba r20363 - in branches: SAMBA_3_0/source/smbd
SAMBA_3_0_24/source/smbd
jra at samba.org
jra at samba.org
Wed Dec 27 20:45:14 GMT 2006
Author: jra
Date: 2006-12-27 20:45:12 +0000 (Wed, 27 Dec 2006)
New Revision: 20363
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20363
Log:
Fix any possible valgrind errors in srvstr_get_XX or srvstr_pull_XX
by ensuring we pass in a valid src_len (or zero when appropriate).
Volker is correct in that this is a *horrible* interface and he is
now free to generally clean it up everywhere :-). Go for it Volker !
Jeremy.
Modified:
branches/SAMBA_3_0/source/smbd/nttrans.c
branches/SAMBA_3_0/source/smbd/trans2.c
branches/SAMBA_3_0_24/source/smbd/nttrans.c
branches/SAMBA_3_0_24/source/smbd/trans2.c
Changeset:
Modified: branches/SAMBA_3_0/source/smbd/nttrans.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/nttrans.c 2006-12-27 18:51:09 UTC (rev 20362)
+++ branches/SAMBA_3_0/source/smbd/nttrans.c 2006-12-27 20:45:12 UTC (rev 20363)
@@ -1865,14 +1865,14 @@
BOOL path_contains_wcard = False;
NTSTATUS status;
- if(parameter_count < 4) {
+ if(parameter_count < 5) {
return ERROR_DOS(ERRDOS,ERRbadfunc);
}
fsp = file_fsp(params, 0);
replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
CHECK_FSP(fsp, conn);
- srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), -1, STR_TERMINATE, &status, &path_contains_wcard);
+ srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), parameter_count - 4, STR_TERMINATE, &status, &path_contains_wcard);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
Modified: branches/SAMBA_3_0/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/trans2.c 2006-12-27 18:51:09 UTC (rev 20362)
+++ branches/SAMBA_3_0/source/smbd/trans2.c 2006-12-27 20:45:12 UTC (rev 20363)
@@ -790,7 +790,7 @@
return(ERROR_DOS(ERRSRV,ERRaccess));
}
- srvstr_get_path(inbuf, fname, pname, sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, pname, sizeof(fname), total_params - 28, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -1665,7 +1665,7 @@
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1709,7 +1709,7 @@
return ERROR_NT(NT_STATUS_INVALID_LEVEL);
}
- srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
return ERROR_NT(ntstatus);
}
@@ -1941,7 +1941,7 @@
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1957,7 +1957,7 @@
*mask = *directory = *resume_name = 0;
- srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
/* Win9x or OS/2 can send a resume name of ".." or ".". This will cause the parser to
complain (it thinks we're asking for the directory above the shared
@@ -2933,7 +2933,7 @@
NTSTATUS status = NT_STATUS_OK;
/* qpathinfo */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -2941,7 +2941,7 @@
DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level));
- srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -3843,12 +3843,12 @@
}
} else {
/* set path info */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
info_level = SVAL(params,0);
- srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4377,10 +4377,14 @@
/* Set a symbolic link. */
/* Don't allow this if follow links is false. */
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
if (!lp_symlinks(SNUM(conn)))
return(ERROR_DOS(ERRDOS,ERRnoaccess));
- srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), total_data, STR_TERMINATE);
/* !widelinks forces the target path to be within the share. */
/* This means we can interpret the target as a pathname. */
@@ -4423,7 +4427,11 @@
char *newname = fname;
/* Set a hard link. */
- srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), -1, STR_TERMINATE, &status);
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), total_data, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4450,13 +4458,18 @@
pstring base_name;
char *p;
- if (total_data < 12) {
+ if (total_data < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
overwrite = (CVAL(pdata,0) ? True : False);
/* root_fid = IVAL(pdata,4); */
len = IVAL(pdata,8);
+
+ if (len > (total_data - 12) || (len == 0)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
srvstr_get_path(inbuf, newname, &pdata[12], sizeof(newname), len, 0, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
@@ -4799,11 +4812,11 @@
if (!CAN_WRITE(conn))
return ERROR_DOS(ERRSRV,ERRaccess);
- if (total_params < 4) {
+ if (total_params < 5) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- srvstr_get_path(inbuf, directory, ¶ms[4], sizeof(directory), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, directory, ¶ms[4], sizeof(directory), total_params - 4, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4976,7 +4989,7 @@
DEBUG(10,("call_trans2getdfsreferral\n"));
- if (total_params < 2) {
+ if (total_params < 3) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -4985,7 +4998,7 @@
if(!lp_host_msdfs())
return ERROR_DOS(ERRDOS,ERRbadfunc);
- srvstr_pull(inbuf, pathname, ¶ms[2], sizeof(pathname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, pathname, ¶ms[2], sizeof(pathname), total_params - 2, STR_TERMINATE);
if((reply_size = setup_dfs_referral(conn, pathname,max_referral_level,ppdata)) < 0)
return UNIXERROR(ERRDOS,ERRbadfile);
Modified: branches/SAMBA_3_0_24/source/smbd/nttrans.c
===================================================================
--- branches/SAMBA_3_0_24/source/smbd/nttrans.c 2006-12-27 18:51:09 UTC (rev 20362)
+++ branches/SAMBA_3_0_24/source/smbd/nttrans.c 2006-12-27 20:45:12 UTC (rev 20363)
@@ -1857,14 +1857,14 @@
BOOL path_contains_wcard = False;
NTSTATUS status;
- if(parameter_count < 4) {
+ if(parameter_count < 5) {
return ERROR_DOS(ERRDOS,ERRbadfunc);
}
fsp = file_fsp(params, 0);
replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
CHECK_FSP(fsp, conn);
- srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), -1, STR_TERMINATE, &status, &path_contains_wcard);
+ srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), parameter_count - 4, STR_TERMINATE, &status, &path_contains_wcard);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
Modified: branches/SAMBA_3_0_24/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0_24/source/smbd/trans2.c 2006-12-27 18:51:09 UTC (rev 20362)
+++ branches/SAMBA_3_0_24/source/smbd/trans2.c 2006-12-27 20:45:12 UTC (rev 20363)
@@ -790,7 +790,7 @@
return(ERROR_DOS(ERRSRV,ERRaccess));
}
- srvstr_get_path(inbuf, fname, pname, sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, pname, sizeof(fname), total_params - 28, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -1665,7 +1665,7 @@
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1709,7 +1709,7 @@
return ERROR_NT(NT_STATUS_INVALID_LEVEL);
}
- srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
return ERROR_NT(ntstatus);
}
@@ -1941,7 +1941,7 @@
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1957,7 +1957,7 @@
*mask = *directory = *resume_name = 0;
- srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
/* Win9x or OS/2 can send a resume name of ".." or ".". This will cause the parser to
complain (it thinks we're asking for the directory above the shared
@@ -2933,7 +2933,7 @@
NTSTATUS status = NT_STATUS_OK;
/* qpathinfo */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -2941,7 +2941,7 @@
DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level));
- srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -3843,12 +3843,12 @@
}
} else {
/* set path info */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
info_level = SVAL(params,0);
- srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, ¶ms[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4373,10 +4373,14 @@
/* Set a symbolic link. */
/* Don't allow this if follow links is false. */
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
if (!lp_symlinks(SNUM(conn)))
return(ERROR_DOS(ERRDOS,ERRnoaccess));
- srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), total_data, STR_TERMINATE);
/* !widelinks forces the target path to be within the share. */
/* This means we can interpret the target as a pathname. */
@@ -4419,7 +4423,11 @@
char *newname = fname;
/* Set a hard link. */
- srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), -1, STR_TERMINATE, &status);
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), total_data, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4446,13 +4454,18 @@
pstring base_name;
char *p;
- if (total_data < 12) {
+ if (total_data < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
overwrite = (CVAL(pdata,0) ? True : False);
/* root_fid = IVAL(pdata,4); */
len = IVAL(pdata,8);
+
+ if (len > (total_data - 12) || (len == 0)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
srvstr_get_path(inbuf, newname, &pdata[12], sizeof(newname), len, 0, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
@@ -4795,11 +4808,11 @@
if (!CAN_WRITE(conn))
return ERROR_DOS(ERRSRV,ERRaccess);
- if (total_params < 4) {
+ if (total_params < 5) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- srvstr_get_path(inbuf, directory, ¶ms[4], sizeof(directory), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, directory, ¶ms[4], sizeof(directory), total_params - 4, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4965,7 +4978,7 @@
DEBUG(10,("call_trans2getdfsreferral\n"));
- if (total_params < 2) {
+ if (total_params < 3) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -4974,7 +4987,7 @@
if(!lp_host_msdfs())
return ERROR_DOS(ERRDOS,ERRbadfunc);
- srvstr_pull(inbuf, pathname, ¶ms[2], sizeof(pathname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, pathname, ¶ms[2], sizeof(pathname), total_params - 2, STR_TERMINATE);
if((reply_size = setup_dfs_referral(conn, pathname,max_referral_level,ppdata)) < 0)
return UNIXERROR(ERRDOS,ERRbadfile);
More information about the samba-cvs
mailing list