[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Dec 1 04:54:03 UTC 2016 

The branch, master has been updated
       via  446851c librpc: cab: Fix ndr_size_cab_file() to detect integer wrap.
       via  d2fe23a librpc: cab: Integer wrap protection for ndr_count_cfdata().
       via  7375992 smbclient: fix string formatting in print command
      from  c98bdf2 smbd/service_stream: connection processing flag is not really bool

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 446851c8615721294b2265cddc36007ae450e916
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Nov 30 09:23:52 2016 -0800

    librpc: cab: Fix ndr_size_cab_file() to detect integer wrap.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Dec  1 05:53:43 CET 2016 on sn-devel-144

commit d2fe23ae0a66d781b97ec362bb1524b7c31e38b8
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Nov 30 09:19:43 2016 -0800

    librpc: cab: Integer wrap protection for ndr_count_cfdata().
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 737599268fb8959c83fe50158fe1ea3d8c2f0603
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 1 14:18:38 2016 +1300

    smbclient: fix string formatting in print command
    
    At one time, the variables lname and rname were char arrays, but now they
    are pointers. When they were arrays, sizeof(rname) was the length of the
    array, but now it gives the size of the pointer which is not what we want.
    
    In the case where the filename is -, rname was alloced as size 1, which
    could never fit the name it wanted to have contain ("stdin-<pid>").
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/ndr/ndr_cab.c    | 37 ++++++++++++++++++++++++++++++++-----
 source4/client/client.c | 23 +++++++++++++++++------
 2 files changed, 49 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/ndr/ndr_cab.c b/librpc/ndr/ndr_cab.c
index 0d2b36b..ae95bf4 100644
--- a/librpc/ndr/ndr_cab.c
+++ b/librpc/ndr/ndr_cab.c
@@ -57,6 +57,10 @@ uint32_t ndr_count_cfdata(const struct cab_file *r)
 	uint32_t count = 0, i;
 
 	for (i = 0; i < r->cfheader.cFolders; i++) {
+		if (count + r->cffolders[i].cCFData < count) {
+			/* Integer wrap. */
+			return 0;
+		}
 		count += r->cffolders[i].cCFData;
 	}
 
@@ -112,7 +116,7 @@ uint32_t ndr_cab_generate_checksum(const struct CFDATA *r)
 					csumPartial);
 }
 
-static uint32_t ndr_size_cab_file(const struct cab_file *r)
+static bool ndr_size_cab_file(const struct cab_file *r, uint32_t *psize)
 {
 	uint32_t size = 0;
 	int i;
@@ -122,20 +126,39 @@ static uint32_t ndr_size_cab_file(const struct cab_file *r)
 
 	/* folder */
 	for (i = 0; i < r->cfheader.cFolders; i++) {
+		if (size + 8 < size) {
+			/* Integer wrap. */
+			return false;
+		}
 		size += 8;
 	}
 
 	/* files */
 	for (i = 0; i < r->cfheader.cFiles; i++) {
-		size += ndr_size_CFFILE(&r->cffiles[i], 0);
+		uint32_t cfsize = ndr_size_CFFILE(&r->cffiles[i], 0);
+		if (size + cfsize < size) {
+			/* Integer wrap. */
+			return false;
+		}
+		size += cfsize;
 	}
 
 	/* data */
 	for (i = 0; i < ndr_count_cfdata(r); i++) {
-		size += 8 + r->cfdata[i].cbData;
+		if (size + 8 < size) {
+			/* Integer wrap. */
+			return false;
+		}
+		size += 8;
+		if (size + r->cfdata[i].cbData < size) {
+			/* Integer wrap. */
+			return false;
+		}
+		size += r->cfdata[i].cbData;
 	}
 
-	return size;
+	*psize = size;
+	return true;
 }
 
 enum cf_compress_type ndr_cab_get_compression(const struct cab_file *r)
@@ -152,6 +175,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
 	uint32_t cntr_cffolders_0;
 	uint32_t cntr_cffiles_0;
 	uint32_t cntr_cfdata_0;
+	uint32_t cab_size = 0;
 	{
 		uint32_t _flags_save_STRUCT = ndr->flags;
 		ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_FLAG_NOALIGN);
@@ -184,7 +208,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
 		ndr->flags = _flags_save_STRUCT;
 	}
 
-	SIVAL(ndr->data, 8, ndr_size_cab_file(r));
+	if (ndr_size_cab_file(r, &cab_size) == false) {
+		return NDR_ERR_VALIDATE;
+	}
+	SIVAL(ndr->data, 8, cab_size);
 
 	return NDR_ERR_SUCCESS;
 }
diff --git a/source4/client/client.c b/source4/client/client.c
index 4807123..cfc85cd 100644
--- a/source4/client/client.c
+++ b/source4/client/client.c
@@ -1534,15 +1534,26 @@ static int cmd_print(struct smbclient_context *ctx, const char **args)
 	}
 
 	lname = talloc_strdup(ctx, args[1]);
+	if (lname == NULL) {
+		d_printf("Out of memory in cmd_print\n");
+		return 1;
+	}
 
-	rname = talloc_strdup(ctx, lname);
-	p = strrchr_m(rname,'/');
-	if (p) {
-		slprintf(rname, sizeof(rname)-1, "%s-%d", p+1, (int)getpid());
+	if (strequal(lname, "-")) {
+		rname = talloc_asprintf(ctx, "stdin-%d", (int)getpid());
+	} else {
+		p = strrchr_m(lname, '/');
+		if (p) {
+			rname = talloc_asprintf(ctx, "%s-%d", p + 1,
+						(int)getpid());
+		} else {
+			rname = talloc_strdup(ctx, lname);
+		}
 	}
 
-	if (strequal(lname,"-")) {
-		slprintf(rname, sizeof(rname)-1, "stdin-%d", (int)getpid());
+	if (rname == NULL) {
+		d_printf("Out of memory in cmd_print (stdin)\n");
+		return 1;
 	}
 
 	return do_put(ctx, rname, lname, false);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list