[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Fri Mar 18 23:57:05 UTC 2016 

The branch, master has been updated
       via  e806824 ldb client controls: avoid talloc_memdup(x, y, (size_t)-1);
       via  ac4dc0c s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path
      from  e8e2386 s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e806824fc8841553102eefdd748b5c6d261f1bb7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Wed Mar 16 12:46:12 2016 +1300

    ldb client controls: avoid talloc_memdup(x, y, (size_t)-1);
    
    ldb_base64_decode() returns -1 if a string can't be parsed as base64,
    and this is not the kind of value you want to use in talloc_memdup().
    
    In these cases it can happen innocently if the strings are truncated
    to fit in their buffers.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by:  Volker Lendecke <Volker.Lendecke at SerNet.DE>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Mar 19 00:56:42 CET 2016 on sn-devel-144

commit ac4dc0c678dddf1eab977dddfc4344d835be7824
Author: Shyamsunder Rathi <shyam.rathi at nutanix.com>
Date:   Thu Mar 10 12:37:49 2016 -0800

    s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path
    
    At present, substitutions in the streams directory path are ignored. Fix it
    by modifying 'stream_dir' function to call 'lp_parm_talloc_string' which
    internally calls 'lp_string' on the path.
    
    Signed-off-by: Shyamsunder Rathi <shyam.rathi at nutanix.com>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb_controls.c       | 31 +++++++++++++++++++++++++++----
 source3/modules/vfs_streams_depot.c | 10 ++++++++--
 2 files changed, 35 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c
index 7da0cf0..0fdd13a 100644
--- a/lib/ldb/common/ldb_controls.c
+++ b/lib/ldb/common/ldb_controls.c
@@ -507,8 +507,16 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->match.byOffset.contentCount = cc;
 		}
 		if (ctxid[0]) {
-			control->ctxid_len = ldb_base64_decode(ctxid);
-			control->contextId = talloc_memdup(control, ctxid, control->ctxid_len);
+			int len = ldb_base64_decode(ctxid);
+			if (len < 0) {
+				ldb_set_errstring(ldb,
+						  "invalid VLV context_id\n");
+				talloc_free(ctrl);
+				return NULL;
+			}
+			control->ctxid_len = len;
+			control->contextId = talloc_memdup(control, ctxid,
+							   control->ctxid_len);
 		} else {
 			control->ctxid_len = 0;
 			control->contextId = NULL;
@@ -552,7 +560,14 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		control->flags = flags;
 		control->max_attributes = max_attrs;
 		if (*cookie) {
-			control->cookie_len = ldb_base64_decode(cookie);
+			int len = ldb_base64_decode(cookie);
+			if (len < 0) {
+				ldb_set_errstring(ldb,
+						  "invalid dirsync cookie\n");
+				talloc_free(ctrl);
+				return NULL;
+			}
+			control->cookie_len = len;
 			control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
 		} else {
 			control->cookie = NULL;
@@ -597,7 +612,15 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		control->flags = flags;
 		control->max_attributes = max_attrs;
 		if (*cookie) {
-			control->cookie_len = ldb_base64_decode(cookie);
+			int len = ldb_base64_decode(cookie);
+			if (len < 0) {
+				ldb_set_errstring(ldb,
+						  "invalid dirsync_ex cookie"
+						  " (probably too long)\n");
+				talloc_free(ctrl);
+				return NULL;
+			}
+			control->cookie_len = len;
 			control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
 		} else {
 			control->cookie = NULL;
diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c
index ef5ef64..5a97444 100644
--- a/source3/modules/vfs_streams_depot.c
+++ b/source3/modules/vfs_streams_depot.c
@@ -123,7 +123,7 @@ static char *stream_dir(vfs_handle_struct *handle,
 	struct file_id id;
 	uint8_t id_buf[16];
 	bool check_valid;
-	const char *rootdir;
+	char *rootdir = NULL;
 	struct smb_filename *rootdir_fname = NULL;
 	struct smb_filename *tmp_fname = NULL;
 
@@ -137,9 +137,13 @@ static char *stream_dir(vfs_handle_struct *handle,
 		goto fail;
 	}
 
-	rootdir = lp_parm_const_string(
+	rootdir = lp_parm_talloc_string(talloc_tos(),
 		SNUM(handle->conn), "streams_depot", "directory",
 		tmp);
+	if (rootdir == NULL) {
+		errno = ENOMEM;
+		goto fail;
+	}
 
 	rootdir_fname = synthetic_smb_fname(talloc_tos(),
 					rootdir,
@@ -329,12 +333,14 @@ static char *stream_dir(vfs_handle_struct *handle,
 	}
 
 	TALLOC_FREE(rootdir_fname);
+	TALLOC_FREE(rootdir);
 	TALLOC_FREE(tmp_fname);
 	TALLOC_FREE(smb_fname_hash);
 	return result;
 
  fail:
 	TALLOC_FREE(rootdir_fname);
+	TALLOC_FREE(rootdir);
 	TALLOC_FREE(tmp_fname);
 	TALLOC_FREE(smb_fname_hash);
 	TALLOC_FREE(result);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list