svn commit: samba r16583 - in trunk/source: lib libsmb passdb printing rpc_server smbd

Wed Jun 28 00:51:22 GMT 2006

Author: jra
Date: 2006-06-28 00:51:21 +0000 (Wed, 28 Jun 2006)
New Revision: 16583

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16583

Log:
Fix Klocwork #1997 and all generic class of problems
where we don't correctly check the return from memdup.
Jeremy.

Modified:
   trunk/source/lib/interface.c
   trunk/source/libsmb/clirap.c
   trunk/source/passdb/pdb_tdb.c
   trunk/source/printing/nt_printing.c
   trunk/source/rpc_server/srv_pipe.c
   trunk/source/smbd/sec_ctx.c


Changeset:
Modified: trunk/source/lib/interface.c
===================================================================

--- trunk/source/lib/interface.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/lib/interface.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -188,6 +188,10 @@
 
 	if (total_probed > 0) {
 		probed_ifaces = memdup(ifaces, sizeof(ifaces[0])*total_probed);
+		if (!probed_ifaces) {
+			DEBUG(0,("ERROR: memdup failed\n"));
+			exit(1);
+		}
 	}
 
 	/* if we don't have a interfaces line then use all broadcast capable 

Modified: trunk/source/libsmb/clirap.c
===================================================================
--- trunk/source/libsmb/clirap.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/libsmb/clirap.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -848,6 +848,12 @@
 	}
 
 	*poutdata = memdup(rdata, data_len);
+	if (!*poutdata) {
+		SAFE_FREE(rdata);
+		SAFE_FREE(rparam);
+		return False;
+	}
+
 	*poutlen = data_len;
 
 	SAFE_FREE(rdata);

Modified: trunk/source/passdb/pdb_tdb.c
===================================================================
--- trunk/source/passdb/pdb_tdb.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/passdb/pdb_tdb.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -913,6 +913,12 @@
 		/* save a copy of the key */
 		
 		ptr->key.dptr = memdup( key.dptr, key.dsize );
+		if (!ptr->key.dptr) {
+			DEBUG(0,("tdbsam_traverse_setpwent: memdup failed\n"));
+			/* just return 0 and let the traversal continue */
+			return 0;
+		}
+
 		ptr->key.dsize = key.dsize;
 		
 		DLIST_ADD( tdbsam_pwent_list, ptr );

Modified: trunk/source/printing/nt_printing.c
===================================================================
--- trunk/source/printing/nt_printing.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/printing/nt_printing.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -738,6 +738,9 @@
 int get_builtin_ntforms(nt_forms_struct **list)
 {
 	*list = (nt_forms_struct *)memdup(&default_forms[0], sizeof(default_forms));
+	if (!*list) {
+		return 0;
+	}
 	return sizeof(default_forms) / sizeof(default_forms[0]);
 }
 
@@ -2081,6 +2084,10 @@
 	fstrcpy(info.dependentfiles[0], "");
 
 	*info_ptr = memdup(&info, sizeof(info));
+	if (!*info_ptr) {
+		SAFE_FREE(info.dependentfiles);
+		return WERR_NOMEM;
+	}
 	
 	return WERR_OK;
 }
@@ -2155,6 +2162,10 @@
 	}
 
 	*info_ptr = (NT_PRINTER_DRIVER_INFO_LEVEL_3 *)memdup(&driver, sizeof(driver));
+	if (!*info_ptr) {
+		SAFE_FREE(driver.dependentfiles);
+		return WERR_NOMEM;
+	}
 
 	return WERR_OK;
 }
@@ -2655,6 +2666,10 @@
 	}
 
 	*nt_devmode = (NT_DEVICEMODE *)memdup(&devmode, sizeof(devmode));
+	if (!*nt_devmode) {
+		SAFE_FREE(devmode.nt_dev_private);
+		return -1;
+	}
 
 	DEBUG(8,("Unpacked devicemode [%s](%s)\n", devmode.devicename, devmode.formname));
 	if (devmode.nt_dev_private)

Modified: trunk/source/rpc_server/srv_pipe.c
===================================================================
--- trunk/source/rpc_server/srv_pipe.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/rpc_server/srv_pipe.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -678,12 +678,26 @@
 	if (p->pipe_user.ut.ngroups) {
 		if (!(p->pipe_user.ut.groups = memdup(a->server_info->groups,
 						sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
-			DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
+			DEBUG(0,("pipe_ntlmssp_verify_final: failed to memdup group list to p->pipe_user.groups\n"));
+			data_blob_free(&p->session_key);
 			return False;
 		}
 	}
 
+	if (!a->server_info->ptok) {
+		DEBUG(1,("pipe_ntlmssp_verify_final: Error: Authmodule failed to provide nt_user_token\n"));
+		data_blob_free(&p->session_key);
+		SAFE_FREE(p->pipe_user.ut.groups);
+		return False;
+	}
+
 	p->pipe_user.nt_user_token = dup_nt_token(NULL, a->server_info->ptok);
+	if (!p->pipe_user.nt_user_token) {
+		DEBUG(1,("pipe_ntlmssp_verify_final: dup_nt_token failed.\n"));
+		data_blob_free(&p->session_key);
+		SAFE_FREE(p->pipe_user.ut.groups);
+		return False;
+	}
 
 	return True;
 }

Modified: trunk/source/smbd/sec_ctx.c
===================================================================
--- trunk/source/smbd/sec_ctx.c	2006-06-28 00:50:14 UTC (rev 16582)
+++ trunk/source/smbd/sec_ctx.c	2006-06-28 00:51:21 UTC (rev 16583)
@@ -252,14 +252,30 @@
 	ctx_p->ut.ngroups = ngroups;
 
 	SAFE_FREE(ctx_p->ut.groups);
-	if (token && (token == ctx_p->token))
+	if (token && (token == ctx_p->token)) {
 		smb_panic("DUPLICATE_TOKEN");
+	}
 
 	TALLOC_FREE(ctx_p->token);
 	
-	ctx_p->ut.groups = memdup(groups, sizeof(gid_t) * ngroups);
-	ctx_p->token = dup_nt_token(NULL, token);
+	if (ngroups) {
+		ctx_p->ut.groups = memdup(groups, sizeof(gid_t) * ngroups);
+		if (!ctx_p->ut.groups) {
+			smb_panic("memdup failed");
+		}
+	} else {
+		ctx_p->ut.groups = NULL;
+	}
 
+	if (token) {
+		ctx_p->token = dup_nt_token(NULL, token);
+		if (!ctx_p->token) {
+			smb_panic("dup_nt_token failed");
+		}
+	} else {
+		ctx_p->token = NULL;
+	}
+
 	become_id(uid, gid);
 
 	ctx_p->ut.uid = uid;

