[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha6-936-gdc7f04a
Günther Deschner
gd at samba.org
Tue Feb 17 09:21:39 GMT 2009
The branch, master has been updated
via dc7f04aac78579edcd171bfcb9de901444c6c819 (commit)
via ea192f08e609fa4c4a48df1b27874b9ae2c1fa40 (commit)
from 612c5e746bd4d0059eb8bcb8dbb4944db155f071 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dc7f04aac78579edcd171bfcb9de901444c6c819
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 17 10:14:58 2009 +0100
s3-netapi: fix Coverity #881 and #882.
Guenther
commit ea192f08e609fa4c4a48df1b27874b9ae2c1fa40
Author: Volker Lendecke <vl at samba.org>
Date: Sat Feb 14 18:01:20 2009 +0100
Fix an invalid typecasting
entry->num_of_strings is a uint16_t. Casting it with
(int *)&entry->num_of_strings
is wrong, because it gives add_string_to_array the illusion that the object
"num" points to is an int, which it is not.
In case we are running on a machine where "int" is 32 or 64 bits long, what
happens with that cast? "add_string_to_array" interprets the byte field that
starts where "num_of_strings" starts as an int. Under very particular
circumstances this might work in a limited number of cases: When the byte order
of an int is such that the lower order bits of the int are stored first, the
subsequent bytes which do not belong to the uint16_t anymore happen to be 0 and
the result of the increment still fits into the first 2 bytes of that int, i.e.
the result is < 65536.
The correct solution to this problem is to use the implicit type conversion
that happens when an assignment is done.
BTW, this bug is found if you compile with -O3 -Wall, it shows up as a warning:
rpc_server/srv_eventlog_lib.c:574: warning: dereferencing type-punned pointer
will break strict-aliasing rules
Thanks,
Volker
-----------------------------------------------------------------------
Summary of changes:
source3/lib/netapi/serverinfo.c | 63 +++++++++++++++++++++++++++++----
source3/rpc_server/srv_eventlog_lib.c | 8 ++++-
2 files changed, 63 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
index 02396a7..72ceec0 100644
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -98,7 +98,6 @@ static NTSTATUS map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
struct SERVER_INFO_403 i403;
struct SERVER_INFO_502 i502;
struct SERVER_INFO_503 i503;
- struct SERVER_INFO_598 i598;
struct SERVER_INFO_599 i599;
struct SERVER_INFO_1005 i1005;
#if 0
@@ -396,13 +395,63 @@ static NTSTATUS map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
&num_info);
break;
- case 598:
- ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_598, i598,
- (struct SERVER_INFO_598 **)buffer,
- &num_info);
- break;
-
case 599:
+ i599.sv599_sessopens = i->info599->sessopen;
+ i599.sv599_opensearch = i->info599->opensearch;
+ i599.sv599_sizreqbuf = i->info599->sizereqbufs;
+ i599.sv599_initworkitems = i->info599->initworkitems;
+ i599.sv599_maxworkitems = i->info599->maxworkitems;
+ i599.sv599_rawworkitems = i->info599->rawworkitems;
+ i599.sv599_irpstacksize = i->info599->irpstacksize;
+ i599.sv599_maxrawbuflen = i->info599->maxrawbuflen;
+ i599.sv599_sessusers = i->info599->sessusers;
+ i599.sv599_sessconns = i->info599->sessconns;
+ i599.sv599_maxpagedmemoryusage = i->info599->maxpagedmemoryusage;
+ i599.sv599_maxnonpagedmemoryusage = i->info599->maxnonpagedmemoryusage;
+ i599.sv599_enablesoftcompat = i->info599->enablesoftcompat;
+ i599.sv599_enableforcedlogoff = i->info599->enableforcedlogoff;
+ i599.sv599_timesource = i->info599->timesource;
+ i599.sv599_acceptdownlevelapis = i->info599->acceptdownlevelapis;
+ i599.sv599_lmannounce = i->info599->lmannounce;
+ i599.sv599_domain = talloc_strdup(mem_ctx, i->info599->domain);
+ i599.sv599_maxcopyreadlen = i->info599->maxcopyreadlen;
+ i599.sv599_maxcopywritelen = i->info599->maxcopywritelen;
+ i599.sv599_minkeepsearch = i->info599->minkeepsearch;
+ i599.sv599_maxkeepsearch = 0; /* ?? */
+ i599.sv599_minkeepcomplsearch = i->info599->minkeepcomplsearch;
+ i599.sv599_maxkeepcomplsearch = i->info599->maxkeepcomplsearch;
+ i599.sv599_threadcountadd = i->info599->threadcountadd;
+ i599.sv599_numblockthreads = i->info599->numlockthreads; /* typo ? */
+ i599.sv599_scavtimeout = i->info599->scavtimeout;
+ i599.sv599_minrcvqueue = i->info599->minrcvqueue;
+ i599.sv599_minfreeworkitems = i->info599->minfreeworkitems;
+ i599.sv599_xactmemsize = i->info599->xactmemsize;
+ i599.sv599_threadpriority = i->info599->threadpriority;
+ i599.sv599_maxmpxct = i->info599->maxmpxct;
+ i599.sv599_oplockbreakwait = i->info599->oplockbreakwait;
+ i599.sv599_oplockbreakresponsewait = i->info599->oplockbreakresponsewait;
+ i599.sv599_enableoplocks = i->info599->enableoplocks;
+ i599.sv599_enableoplockforceclose = i->info599->enableoplockforceclose;
+ i599.sv599_enablefcbopens = i->info599->enablefcbopens;
+ i599.sv599_enableraw = i->info599->enableraw;
+ i599.sv599_enablesharednetdrives = i->info599->enablesharednetdrives;
+ i599.sv599_minfreeconnections = i->info599->minfreeconnections;
+ i599.sv599_maxfreeconnections = i->info599->maxfreeconnections;
+ i599.sv599_initsesstable = i->info599->initsesstable;
+ i599.sv599_initconntable = i->info599->initconntable;
+ i599.sv599_initfiletable = i->info599->initfiletable;
+ i599.sv599_initsearchtable = i->info599->initsearchtable;
+ i599.sv599_alertschedule = i->info599->alertsched;
+ i599.sv599_errorthreshold = i->info599->errortreshold;
+ i599.sv599_networkerrorthreshold = i->info599->networkerrortreshold;
+ i599.sv599_diskspacethreshold = i->info599->diskspacetreshold;
+ i599.sv599_reserved = i->info599->reserved;
+ i599.sv599_maxlinkdelay = i->info599->maxlinkdelay;
+ i599.sv599_minlinkthroughput = i->info599->minlinkthroughput;
+ i599.sv599_linkinfovalidtime = i->info599->linkinfovalidtime;
+ i599.sv599_scavqosinfoupdatetime = i->info599->scavqosinfoupdatetime;
+ i599.sv599_maxworkitemidletime = i->info599->maxworkitemidletime;
+
ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_599, i599,
(struct SERVER_INFO_599 **)buffer,
&num_info);
diff --git a/source3/rpc_server/srv_eventlog_lib.c b/source3/rpc_server/srv_eventlog_lib.c
index d8c5c3d..edd1cfa 100644
--- a/source3/rpc_server/srv_eventlog_lib.c
+++ b/source3/rpc_server/srv_eventlog_lib.c
@@ -560,6 +560,7 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb
}
} else if ( 0 == strncmp( start, "STR", stop - start ) ) {
size_t tmp_len;
+ int num_of_strings;
/* skip past initial ":" */
stop++;
/* now skip any other leading whitespace */
@@ -570,10 +571,15 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb
if (tmp_len == (size_t)-1) {
return false;
}
+ num_of_strings = entry->num_of_strings;
if (!add_string_to_array(mem_ctx, stop, &entry->strings,
- (int *)&entry->num_of_strings)) {
+ &num_of_strings)) {
return false;
}
+ if (num_of_strings > 0xffff) {
+ return false;
+ }
+ entry->num_of_strings = num_of_strings;
entry->strings_len += tmp_len;
} else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
/* skip past initial ":" */
--
Samba Shared Repository
More information about the samba-cvs
mailing list