[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Oct 4 08:47:01 MDT 2010
The branch, master has been updated
via 59d00fc lib/util/asn1: let asn1_peek_full_tag() return an error if we fail to parse tag hdr/len
via 42d1a84 libcli/ldap: ldap_full_packet() requires at least 6 bytes
via 4423aa5 tsocket: make sure we delete the fd event before calling close()
from c676c95 compile_et: Support using system compile_et.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 59d00fc439e5851f60925febda8d7f7816a44563
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Oct 2 10:03:55 2010 +0200
lib/util/asn1: let asn1_peek_full_tag() return an error if we fail to parse tag hdr/len
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Mon Oct 4 14:46:40 UTC 2010 on sn-devel-104
commit 42d1a84a360ed56c123bb7bab6340d9e8425a8c0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 10:35:32 2010 +0200
libcli/ldap: ldap_full_packet() requires at least 6 bytes
metze
commit 4423aa59abda50c8b71815f922ea03e2009f9e50
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 27 23:57:34 2010 +0200
tsocket: make sure we delete the fd event before calling close()
We got random double free errors, when getting events from
epoll_wait() and try to dereference the private talloc pointer
attached to it.
Before doing the close() in the tstream_disconnect_send() function
we need to delete the fd event.
commit 38f505530ba06323a56c7d3914630efffcd12629 only fixed it for
tdgram sockets.
metze
-----------------------------------------------------------------------
Summary of changes:
lib/tsocket/tsocket_bsd.c | 1 +
lib/util/asn1.c | 14 +++++++++++++-
libcli/ldap/ldap_message.c | 7 +++++++
3 files changed, 21 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/tsocket/tsocket_bsd.c b/lib/tsocket/tsocket_bsd.c
index 6fb1535..bc7cfe3 100644
--- a/lib/tsocket/tsocket_bsd.c
+++ b/lib/tsocket/tsocket_bsd.c
@@ -1895,6 +1895,7 @@ static struct tevent_req *tstream_bsd_disconnect_send(TALLOC_CTX *mem_ctx,
goto post;
}
+ TALLOC_FREE(bsds->fde);
ret = close(bsds->fd);
bsds->fd = -1;
err = tsocket_bsd_error_from_errno(ret, errno, &dummy);
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 7e37fbc..7635ce2 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -527,6 +527,18 @@ bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag, size_t *size
data->has_error = false;
return false;
}
+ if (n > 4) {
+ /*
+ * We should not allow more than 4 bytes
+ * for the encoding of the tag length.
+ *
+ * Otherwise we'd overflow the taglen
+ * variable on 32 bit systems.
+ */
+ data->ofs = start_ofs;
+ data->has_error = false;
+ return false;
+ }
taglen = b;
while (n > 1) {
if (!asn1_read_uint8(data, &b)) {
@@ -1020,7 +1032,7 @@ NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
ok = asn1_peek_tag_needed_size(&asn1, tag, &size);
if (!ok) {
- return STATUS_MORE_ENTRIES;
+ return NT_STATUS_INVALID_BUFFER_SIZE;
}
if (size > blob.length) {
diff --git a/libcli/ldap/ldap_message.c b/libcli/ldap/ldap_message.c
index e5b94b8..b9f9dff 100644
--- a/libcli/ldap/ldap_message.c
+++ b/libcli/ldap/ldap_message.c
@@ -1611,5 +1611,12 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
*/
NTSTATUS ldap_full_packet(void *private_data, DATA_BLOB blob, size_t *packet_size)
{
+ if (blob.length < 6) {
+ /*
+ * We need at least 6 bytes to workout the length
+ * of the pdu.
+ */
+ return STATUS_MORE_ENTRIES;
+ }
return asn1_peek_full_tag(blob, ASN1_SEQUENCE(0), packet_size);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list