[CHECKER] Direct Deref of tainted pointer sbuf (PR#25987)
Andrew Bartlett
abartlet at samba.org
Sat Nov 23 10:24:01 GMT 2002
> Full_Name: Russell Greene
> Samba_Version: 2.2.6
> Server_OS: N/A
> Client_OS: N/A
> Submission from: (NULL) (128.12.177.14)
>
>
> Hello. This potential bug was found using a checker on the Samba source.
> Please verify.
>
> I am assuming that sys_fstat is a wrapper for fstat and therefore takes input
> from the user. As a result, there is a chance that sbuf will be NULL. The
> function sys_fstat dereferences sbuf without first checking that it is not
> null.
How can sbuf be NULL?
And what if it is - if you pass a NULL buffer to fstat(), fstat() segfaults, so
I don't see a problem with dereferencing the buffer *after* a successful call to
fstat().
If you can find how we could get a NULL buffer from a caller, this would be a
different issue.
> [BUG] assuming user can call sys_fstat
> /u1/rdg12/net/samba-2.2.6/source/lib/system.c:204:sys_fstat:
> ERROR:USER:196:204:direct deref of tainted pointer sbuf
> /*******************************************************************
> An fstat() wrapper that will deal with 64 bit filesizes.
> ********************************************************************/
>
> int sys_fstat(int fd,SMB_STRUCT_STAT *sbuf)
> Start --->
> {
> int ret;
> #if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) &&
> defined(HAVE_FSTAT64)
> ret = fstat64(fd, sbuf);
> #else
> ret = fstat(fd, sbuf);
> #endif
> /* we always want directories to appear zero size */
> Error --->
> if (ret == 0 && S_ISDIR(sbuf->st_mode)) sbuf->st_size = 0;
> return ret;
> }
>
>
More information about the samba-technical
mailing list