[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Dec 1 04:54:03 UTC 2016
The branch, master has been updated
via 446851c librpc: cab: Fix ndr_size_cab_file() to detect integer wrap.
via d2fe23a librpc: cab: Integer wrap protection for ndr_count_cfdata().
via 7375992 smbclient: fix string formatting in print command
from c98bdf2 smbd/service_stream: connection processing flag is not really bool
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 446851c8615721294b2265cddc36007ae450e916
Author: Jeremy Allison <jra at samba.org>
Date: Wed Nov 30 09:23:52 2016 -0800
librpc: cab: Fix ndr_size_cab_file() to detect integer wrap.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 1 05:53:43 CET 2016 on sn-devel-144
commit d2fe23ae0a66d781b97ec362bb1524b7c31e38b8
Author: Jeremy Allison <jra at samba.org>
Date: Wed Nov 30 09:19:43 2016 -0800
librpc: cab: Integer wrap protection for ndr_count_cfdata().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 737599268fb8959c83fe50158fe1ea3d8c2f0603
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 1 14:18:38 2016 +1300
smbclient: fix string formatting in print command
At one time, the variables lname and rname were char arrays, but now they
are pointers. When they were arrays, sizeof(rname) was the length of the
array, but now it gives the size of the pointer which is not what we want.
In the case where the filename is -, rname was alloced as size 1, which
could never fit the name it wanted to have contain ("stdin-<pid>").
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/ndr/ndr_cab.c | 37 ++++++++++++++++++++++++++++++++-----
source4/client/client.c | 23 +++++++++++++++++------
2 files changed, 49 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr_cab.c b/librpc/ndr/ndr_cab.c
index 0d2b36b..ae95bf4 100644
--- a/librpc/ndr/ndr_cab.c
+++ b/librpc/ndr/ndr_cab.c
@@ -57,6 +57,10 @@ uint32_t ndr_count_cfdata(const struct cab_file *r)
uint32_t count = 0, i;
for (i = 0; i < r->cfheader.cFolders; i++) {
+ if (count + r->cffolders[i].cCFData < count) {
+ /* Integer wrap. */
+ return 0;
+ }
count += r->cffolders[i].cCFData;
}
@@ -112,7 +116,7 @@ uint32_t ndr_cab_generate_checksum(const struct CFDATA *r)
csumPartial);
}
-static uint32_t ndr_size_cab_file(const struct cab_file *r)
+static bool ndr_size_cab_file(const struct cab_file *r, uint32_t *psize)
{
uint32_t size = 0;
int i;
@@ -122,20 +126,39 @@ static uint32_t ndr_size_cab_file(const struct cab_file *r)
/* folder */
for (i = 0; i < r->cfheader.cFolders; i++) {
+ if (size + 8 < size) {
+ /* Integer wrap. */
+ return false;
+ }
size += 8;
}
/* files */
for (i = 0; i < r->cfheader.cFiles; i++) {
- size += ndr_size_CFFILE(&r->cffiles[i], 0);
+ uint32_t cfsize = ndr_size_CFFILE(&r->cffiles[i], 0);
+ if (size + cfsize < size) {
+ /* Integer wrap. */
+ return false;
+ }
+ size += cfsize;
}
/* data */
for (i = 0; i < ndr_count_cfdata(r); i++) {
- size += 8 + r->cfdata[i].cbData;
+ if (size + 8 < size) {
+ /* Integer wrap. */
+ return false;
+ }
+ size += 8;
+ if (size + r->cfdata[i].cbData < size) {
+ /* Integer wrap. */
+ return false;
+ }
+ size += r->cfdata[i].cbData;
}
- return size;
+ *psize = size;
+ return true;
}
enum cf_compress_type ndr_cab_get_compression(const struct cab_file *r)
@@ -152,6 +175,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
uint32_t cntr_cffolders_0;
uint32_t cntr_cffiles_0;
uint32_t cntr_cfdata_0;
+ uint32_t cab_size = 0;
{
uint32_t _flags_save_STRUCT = ndr->flags;
ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_FLAG_NOALIGN);
@@ -184,7 +208,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
ndr->flags = _flags_save_STRUCT;
}
- SIVAL(ndr->data, 8, ndr_size_cab_file(r));
+ if (ndr_size_cab_file(r, &cab_size) == false) {
+ return NDR_ERR_VALIDATE;
+ }
+ SIVAL(ndr->data, 8, cab_size);
return NDR_ERR_SUCCESS;
}
diff --git a/source4/client/client.c b/source4/client/client.c
index 4807123..cfc85cd 100644
--- a/source4/client/client.c
+++ b/source4/client/client.c
@@ -1534,15 +1534,26 @@ static int cmd_print(struct smbclient_context *ctx, const char **args)
}
lname = talloc_strdup(ctx, args[1]);
+ if (lname == NULL) {
+ d_printf("Out of memory in cmd_print\n");
+ return 1;
+ }
- rname = talloc_strdup(ctx, lname);
- p = strrchr_m(rname,'/');
- if (p) {
- slprintf(rname, sizeof(rname)-1, "%s-%d", p+1, (int)getpid());
+ if (strequal(lname, "-")) {
+ rname = talloc_asprintf(ctx, "stdin-%d", (int)getpid());
+ } else {
+ p = strrchr_m(lname, '/');
+ if (p) {
+ rname = talloc_asprintf(ctx, "%s-%d", p + 1,
+ (int)getpid());
+ } else {
+ rname = talloc_strdup(ctx, lname);
+ }
}
- if (strequal(lname,"-")) {
- slprintf(rname, sizeof(rname)-1, "stdin-%d", (int)getpid());
+ if (rname == NULL) {
+ d_printf("Out of memory in cmd_print (stdin)\n");
+ return 1;
}
return do_put(ctx, rname, lname, false);
--
Samba Shared Repository
More information about the samba-cvs
mailing list