[SCM] Samba Shared Repository - branch master updated

Tue Apr 30 15:34:01 UTC 2024

The branch, master has been updated
       via  d650f884ec1 lib:ldb: Use correct integer types for sizes
       via  17dd13bb4bc lib:ldb: Add missing overflow check in ldb_msg_normalize()
       via  82b07bd048e lib:tdb: Add missing overflow check for num_values in pytdb.c
       via  e9c4538e272 lib:tdb: Remove trailing spaces from pytdb.c
      from  80159018e41 s3:utils: Fix Inherit-Only flag being automatically propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d650f884ec1be0745af93020366b9e115670b771
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Apr 30 14:33:51 2024 +0200

    lib:ldb: Use correct integer types for sizes
    
    Error: INTEGER_OVERFLOW (CWE-190):
    ldb-2.9.0/common/ldb_ldif.c:84: tainted_data_return: Called function "read(f, buf, size)", and a possible return value may be less than zero.
    ldb-2.9.0/common/ldb_ldif.c:84: cast_overflow: An assign that casts to a different type, which might trigger an overflow.
    ldb-2.9.0/common/ldb_ldif.c:92: overflow: The expression "size" is considered to have possibly overflowed.
    ldb-2.9.0/common/ldb_ldif.c:84: overflow_sink: "size", which might be negative, is passed to "read(f, buf, size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
        82|           buf = (char *)value->data;
        83|           while (count < statbuf.st_size) {
        84|->                 bytes = read(f, buf, size);
        85|                   if (bytes == -1) {
        86|                           talloc_free(value->data);
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Tue Apr 30 15:33:32 UTC 2024 on atb-devel-224

commit 17dd13bb4bc9bd38f663c376ee73de6598715da7
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Apr 30 14:27:54 2024 +0200

    lib:ldb: Add missing overflow check in ldb_msg_normalize()
    
    Error: INTEGER_OVERFLOW (CWE-190):
    ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted.
    ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed.
    ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed.
    ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.]
      1251|                           talloc_free(discard_const_p(char, el2->name));
      1252|                           if ((i+1) < msg2->num_elements) {
      1253|->                                 memmove(el2, el2+1, sizeof(struct ldb_message_element) *
      1254|                                           (msg2->num_elements - (i+1)));
      1255|                           }
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 82b07bd048e8039896be7edec6b83cbd6ff218d9
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Apr 30 14:16:33 2024 +0200

    lib:tdb: Add missing overflow check for num_values in pytdb.c
    
    Error: INTEGER_OVERFLOW (CWE-190):
    tdb-1.4.10/pytdb.c:401: cast_overflow: Truncation due to cast operation on "num_values" from 64 to 32 bits.
    tdb-1.4.10/pytdb.c:401: overflow_sink: "num_values", which might have overflowed, is passed to "tdb_storev(self->ctx, key, values, num_values, flag)".
      399|           }
      400|
      401|->         ret = tdb_storev(self->ctx, key, values, num_values, flag);
      402|           free(values);
      403|           PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit e9c4538e272a32f9fe4dcdabc6f44b95ddfda6e7
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Apr 30 14:16:15 2024 +0200

    lib:tdb: Remove trailing spaces from pytdb.c
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb_ldif.c |  3 ++-
 lib/ldb/common/ldb_msg.c  |  2 +-
 lib/tdb/pytdb.c           | 22 +++++++++++++---------
 3 files changed, 16 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c
index 96237dd0abf..24a0bcdefa5 100644
--- a/lib/ldb/common/ldb_ldif.c
+++ b/lib/ldb/common/ldb_ldif.c
@@ -45,7 +45,8 @@ static int ldb_read_data_file(TALLOC_CTX *mem_ctx, struct ldb_val *value)
 {
 	struct stat statbuf;
 	char *buf;
-	int count, size, bytes;
+	size_t count, size;
+	ssize_t bytes;
 	int ret;
 	int f;
 	const char *fname = (const char *)value->data;
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index bbb7ff96233..8477ab2b00b 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb,
 			       sizeof(struct ldb_val) * el2->num_values);
 			el1->num_values += el2->num_values;
 			talloc_free(discard_const_p(char, el2->name));
-			if ((i+1) < msg2->num_elements) {
+			if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) {
 				memmove(el2, el2+1, sizeof(struct ldb_message_element) *
 					(msg2->num_elements - (i+1)));
 			}
diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index 4d75d7a9041..3b1842c02c1 100644
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -1,4 +1,4 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
    Python interface to tdb.
@@ -44,7 +44,7 @@ static PyTypeObject PyTdb;
 
 static void PyErr_SetTDBError(TDB_CONTEXT *tdb)
 {
-	PyErr_SetObject(PyExc_RuntimeError, 
+	PyErr_SetObject(PyExc_RuntimeError,
 		Py_BuildValue("(i,s)", tdb_error(tdb), tdb_errorstr(tdb)));
 }
 
@@ -294,7 +294,7 @@ static PyObject *obj_nextkey(PyTdbObject *self, PyObject *args)
 	key = PyBytes_AsTDB_DATA(py_key);
 	if (!key.dptr)
 		return NULL;
-	
+
 	return PyBytes_FromTDB_DATA(tdb_nextkey(self->ctx, key));
 }
 
@@ -383,6 +383,10 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args)
 		PyErr_SetFromErrno(PyExc_OverflowError);
 		return NULL;
 	}
+	if (num_values > INT_MAX) {
+		PyErr_SetFromErrno(PyExc_OverflowError);
+		return NULL;
+	}
 	values = malloc(sizeof(TDB_DATA) * num_values);
 	if (values == NULL) {
 		PyErr_NoMemory();
@@ -398,7 +402,7 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args)
 		values[i] = value;
 	}
 
-	ret = tdb_storev(self->ctx, key, values, num_values, flag);
+	ret = tdb_storev(self->ctx, key, values, (int)num_values, flag);
 	free(values);
 	PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);
 	Py_RETURN_NONE;
@@ -466,7 +470,7 @@ PyTypeObject PyTdbIterator = {
 static PyObject *tdb_object_iter(PyTdbObject *self,
 		PyObject *Py_UNUSED(ignored))
 {
-	PyTdbIteratorObject *ret;	
+	PyTdbIteratorObject *ret;
 
 	PyErr_TDB_RAISE_IF_CLOSED(self);
 
@@ -514,7 +518,7 @@ static PyObject *obj_increment_seqnum_nonblock(PyTdbObject *self,
 }
 
 static PyMethodDef tdb_object_methods[] = {
-	{ "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS, 
+	{ "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS,
 		"S.transaction_cancel() -> None\n"
 		"Cancel the currently active transaction." },
 	{ "transaction_commit", (PyCFunction)obj_transaction_commit, METH_NOARGS,
@@ -713,9 +717,9 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value)
 
 	tkey = PyBytes_AsTDB_DATA(key);
 
-	if (value == NULL) { 
+	if (value == NULL) {
 		ret = tdb_delete(self->ctx, tkey);
-	} else { 
+	} else {
 		if (!PyBytes_Check(value)) {
 			PyErr_SetString(PyExc_TypeError, "Expected string as value");
 			return -1;
@@ -729,7 +733,7 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value)
 	if (ret != 0) {
 		PyErr_SetTDBError(self->ctx);
 		return -1;
-	} 
+	}
 
 	return ret;
 }


-- 
Samba Shared Repository

