CAN-2004-1154 and 3.0.10

Albert Chin samba-technical at mlists.thewrittenword.com
Mon Dec 20 20:18:22 GMT 2004


On Mon, Dec 20, 2004 at 12:30:04PM -0600, Albert Chin wrote:
> On Mon, Dec 20, 2004 at 12:26:38PM -0600, Albert Chin wrote:
> > On Mon, Dec 20, 2004 at 10:11:50AM -0800, Jeremy Allison wrote:
> > > On Mon, Dec 20, 2004 at 12:06:59PM -0600, Albert Chin wrote:
> > > > The patch against 3.0.9 for CAN-2004-1154 replaced a number of calls:
> > > >   Realloc() -> SMB_REALLOC()
> > > >   malloc() -> SMB_MALLOC()
> > > >   strdup() -> SMB_STRDUP()
> > > >   ...
> > > > 
> > > > However, calls to Realloc(), malloc(), and strdup() remain in 3.0.10.
> > > > Is this a problem?
> > > 
> > > Can you point them out. I've been tracking them down in the SVN codebase
> > > and tidying them up.
> > 
> > Attached patch against SAMBA_3_0 for Realloc(). I'll look for the
> > remainders now.
> 
> Actually, I'll have to review this. I thought Realloc() was in a
> common util.c file but apparently not. So, hang on a bit.

Ok, how's the patch below? I ran a test build with 3.0.10 against the
patch below (though, oddly, the patch for source/lib/util_smbd.c is in
the 3.0.10.tar.gz file but not SAMBA_3_0) for the following platforms:
  AIX 5.2
  HP-UX 10.20, 11.00, 11i
  IRIX 6.5
  Redhat Linux 7.1, 9
  RHEL 2.1, 3.0/x86, 3.0/amd64
  Solaris 2.5.1, 2.6, 7, 8, 9
  Tru64 UNIX 4.0D, 5.1

-- 
albert chin (china at thewrittenword.com)

-- snip snip
Index: source/printing/print_svid.c
===================================================================
--- source/printing/print_svid.c	(revision 4289)
+++ source/printing/print_svid.c	(working copy)
@@ -88,7 +88,7 @@
 			*tmp = '\0';
 		
 		/* add it to the cache */
-		if ((ptmp = malloc(sizeof (*ptmp))) != NULL) {
+		if ((ptmp = SMB_MALLOC_P(printer_t)) != NULL) {
 			ZERO_STRUCTP(ptmp);
 			if((ptmp->name = SMB_STRDUP(name)) == NULL)
 				DEBUG(0,("populate_printers: malloc fail in strdup !\n"));
Index: source/lib/util_smbd.c
===================================================================
--- source/lib/util_smbd.c	(revision 4289)
+++ source/lib/util_smbd.c	(working copy)
@@ -54,7 +54,7 @@
 		
 		gid_t *groups_tmp;
 		
-		groups_tmp = Realloc(temp_groups, sizeof(gid_t) * max_grp);
+		groups_tmp = SMB_REALLOC_ARRAY(temp_groups, gid_t, max_grp);
 		
 		if (!groups_tmp) {
 			SAFE_FREE(temp_groups);
Index: source/lib/sysacls.c
===================================================================
--- source/lib/sysacls.c	(revision 4289)
+++ source/lib/sysacls.c	(working copy)
@@ -612,7 +612,7 @@
 	 */
 	len	= 0;
 	maxlen	= 20 * acl_d->count;
-	if ((text = malloc(maxlen)) == NULL) {
+	if ((text = SMB_MALLOC(maxlen)) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -690,7 +690,7 @@
 
 			maxlen += nbytes + 20 * (acl_d->count - i);
 
-			if ((text = Realloc(oldtext, maxlen)) == NULL) {
+			if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) {
 				SAFE_FREE(oldtext);
 				errno = ENOMEM;
 				return NULL;
@@ -722,7 +722,7 @@
 	 * acl[] array, this actually allocates an ACL with room
 	 * for (count+1) entries
 	 */
-	if ((a = malloc(sizeof(*a) + count * sizeof(struct acl))) == NULL) {
+	if ((a = SMB_MALLOC(sizeof(*a) + count * sizeof(struct acl))) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -886,7 +886,7 @@
 		 * allocate a temporary buffer for the complete ACL
 		 */
 		acl_count = acc_acl->count + def_acl->count;
-		acl_p = acl_buf = malloc(acl_count * sizeof(acl_buf[0]));
+		acl_p = acl_buf = SMB_MALLOC(acl_count * sizeof(acl_buf[0]));
 
 		if (acl_buf == NULL) {
 			sys_acl_free_acl(tmp_acl);
@@ -1243,7 +1243,7 @@
 	 */
 	len	= 0;
 	maxlen	= 20 * acl_d->count;
-	if ((text = malloc(maxlen)) == NULL) {
+	if ((text = SMB_MALLOC(maxlen)) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -1321,7 +1321,7 @@
 
 			maxlen += nbytes + 20 * (acl_d->count - i);
 
-			if ((text = Realloc(oldtext, maxlen)) == NULL) {
+			if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) {
 				free(oldtext);
 				errno = ENOMEM;
 				return NULL;
@@ -1353,7 +1353,7 @@
 	 * acl[] array, this actually allocates an ACL with room
 	 * for (count+1) entries
 	 */
-	if ((a = malloc(sizeof(*a) + count * sizeof(struct acl))) == NULL) {
+	if ((a = SMB_MALLOC(sizeof(*a) + count * sizeof(struct acl))) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -1819,7 +1819,7 @@
 		 * allocate a temporary buffer for the complete ACL
 		 */
 		acl_count = acc_acl->count + def_acl->count;
-		acl_p = acl_buf = malloc(acl_count * sizeof(acl_buf[0]));
+		acl_p = acl_buf = SMB_MALLOC(acl_count * sizeof(acl_buf[0]));
 
 		if (acl_buf == NULL) {
 			sys_acl_free_acl(tmp_acl);
@@ -1982,7 +1982,7 @@
 {
 	SMB_ACL_T	a;
 
-	if ((a = malloc(sizeof(*a))) == NULL) {
+	if ((a = SMB_MALLOC_P(struct SMB_ACL_T)) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -1999,7 +1999,7 @@
 {
 	SMB_ACL_T	a;
 
-	if ((a = malloc(sizeof(*a))) == NULL) {
+	if ((a = SMB_MALLOC_P(struct SMB_ACL_T)) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -2056,7 +2056,7 @@
 		return NULL;
 	}
 
-	if ((a = malloc(sizeof(*a) + sizeof(struct acl))) == NULL) {
+	if ((a = SMB_MALLOC(sizeof(*a) + sizeof(struct acl))) == NULL) {
 		errno = ENOMEM;
 		return NULL;
 	}
@@ -2282,7 +2282,7 @@
 	DEBUG(10,("Entering sys_acl_get_file\n"));
 	DEBUG(10,("path_p is %s\n",path_p));
 
-	file_acl = (struct acl *)malloc(BUFSIZ);
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
  
 	if(file_acl == NULL) {
 		errno=ENOMEM;
@@ -2313,7 +2313,7 @@
 	if(acl_entry_link_head == NULL)
 		return(NULL);
 
-	acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+	acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 	if(acl_entry_link->entryp == NULL) {
 		SAFE_FREE(file_acl);
 		errno = ENOMEM;
@@ -2348,8 +2348,7 @@
 			 * and already has entryp allocated.                  */
 
 			if(acl_entry_link_head->count != 0) {
-				acl_entry_link->nextp = (struct acl_entry_link *)
-											malloc(sizeof(struct acl_entry_link));
+				acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
 
 				if(acl_entry_link->nextp == NULL) {
 					SAFE_FREE(file_acl);
@@ -2360,7 +2359,7 @@
 
 				acl_entry_link->nextp->prevp = acl_entry_link;
 				acl_entry_link = acl_entry_link->nextp;
-				acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+				acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 				if(acl_entry_link->entryp == NULL) {
 					SAFE_FREE(file_acl);
 					errno = ENOMEM;
@@ -2419,7 +2418,7 @@
 	for( i = 1; i < 4; i++) {
 		DEBUG(10,("i is %d\n",i));
 		if(acl_entry_link_head->count != 0) {
-			acl_entry_link->nextp = (struct acl_entry_link *)malloc(sizeof(struct acl_entry_link));
+			acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
 			if(acl_entry_link->nextp == NULL) {
 				SAFE_FREE(file_acl);
 				errno = ENOMEM;
@@ -2429,7 +2428,7 @@
 
 			acl_entry_link->nextp->prevp = acl_entry_link;
 			acl_entry_link = acl_entry_link->nextp;
-			acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+			acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 			if(acl_entry_link->entryp == NULL) {
 				SAFE_FREE(file_acl);
 				errno = ENOMEM;
@@ -2496,7 +2495,7 @@
    
 	DEBUG(10,("Entering sys_acl_get_fd\n"));
 	DEBUG(10,("fd is %d\n",fd));
-	file_acl = (struct acl *)malloc(BUFSIZ);
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
 
 	if(file_acl == NULL) {
 		errno=ENOMEM;
@@ -2529,7 +2528,7 @@
 		return(NULL);
 	}
 
-	acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+	acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 
 	if(acl_entry_link->entryp == NULL) {
 		errno = ENOMEM;
@@ -2566,7 +2565,7 @@
 			 * and already has entryp allocated.                 */
 
 			if(acl_entry_link_head->count != 0) {
-				acl_entry_link->nextp = (struct acl_entry_link *)malloc(sizeof(struct acl_entry_link));
+				acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
 				if(acl_entry_link->nextp == NULL) {
 					errno = ENOMEM;
 					DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
@@ -2575,7 +2574,7 @@
 				}
 				acl_entry_link->nextp->prevp = acl_entry_link;
 				acl_entry_link = acl_entry_link->nextp;
-				acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+				acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 				if(acl_entry_link->entryp == NULL) {
 					errno = ENOMEM;
 					DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
@@ -2634,7 +2633,7 @@
 	for( i = 1; i < 4; i++) {
 		DEBUG(10,("i is %d\n",i));
 		if(acl_entry_link_head->count != 0){
-			acl_entry_link->nextp = (struct acl_entry_link *)malloc(sizeof(struct acl_entry_link));
+			acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
 			if(acl_entry_link->nextp == NULL) {
 				errno = ENOMEM;
 				DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
@@ -2644,7 +2643,7 @@
 
 			acl_entry_link->nextp->prevp = acl_entry_link;
 			acl_entry_link = acl_entry_link->nextp;
-			acl_entry_link->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+			acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
 
 			if(acl_entry_link->entryp == NULL) {
 				SAFE_FREE(file_acl);
@@ -2723,7 +2722,7 @@
  
 	DEBUG(10,("Entering sys_acl_init\n"));
 
-	theacl = (struct acl_entry_link *)malloc(sizeof(struct acl_entry_link));
+	theacl = SMB_MALLOC_P(struct acl_entry_link);
 	if(theacl == NULL) {
 		errno = ENOMEM;
 		DEBUG(0,("Error in sys_acl_init is %d\n",errno));
@@ -2758,7 +2757,7 @@
 	}
 
 	if(theacl->count != 0){
-		temp_entry->nextp = acl_entryp = (struct acl_entry_link *)malloc(sizeof(struct acl_entry_link));
+		temp_entry->nextp = acl_entryp = SMB_MALLOC_P(struct acl_entry_link);
 		if(acl_entryp == NULL) {
 			errno = ENOMEM;
 			DEBUG(0,("Error in sys_acl_create_entry is %d\n",errno));
@@ -2770,7 +2769,7 @@
 		DEBUG(10,("The acl_entryp->prevp is %d\n",acl_entryp->prevp));
 	}
 
-	*pentry = acl_entryp->entryp = (struct new_acl_entry *)malloc(sizeof(struct new_acl_entry));
+	*pentry = acl_entryp->entryp = SMB_MALLOC_P(struct new_acl_entry);
 	if(*pentry == NULL) {
 		errno = ENOMEM;
 		DEBUG(0,("Error in sys_acl_create_entry is %d\n",errno));
@@ -2860,7 +2859,7 @@
 		return(0);
 
 	acl_length = BUFSIZ;
-	file_acl = (struct acl *)malloc(BUFSIZ);
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
 
 	if(file_acl == NULL) {
 		errno = ENOMEM;
@@ -2893,7 +2892,7 @@
 
 		if((file_acl->acl_len + sizeof(struct acl_entry)) > acl_length) {
 			acl_length += sizeof(struct acl_entry);
-			file_acl_temp = (struct acl *)malloc(acl_length);
+			file_acl_temp = (struct acl *)SMB_MALLOC(acl_length);
 			if(file_acl_temp == NULL) {
 				SAFE_FREE(file_acl);
 				errno = ENOMEM;
@@ -2948,7 +2947,7 @@
  
 	DEBUG(10,("Entering sys_acl_set_fd\n"));
 	acl_length = BUFSIZ;
-	file_acl = (struct acl *)malloc(BUFSIZ);
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
 
 	if(file_acl == NULL) {
 		errno = ENOMEM;
@@ -2982,7 +2981,7 @@
 
 		if((file_acl->acl_len + sizeof(struct acl_entry)) > acl_length) {
 			acl_length += sizeof(struct acl_entry);
-			file_acl_temp = (struct acl *)malloc(acl_length);
+			file_acl_temp = (struct acl *)SMB_MALLOC(acl_length);
 			if(file_acl_temp == NULL) {
 				SAFE_FREE(file_acl);
 				errno = ENOMEM;
Index: source/lib/afs_settoken.c
===================================================================
--- source/lib/afs_settoken.c	(revision 4289)
+++ source/lib/afs_settoken.c	(working copy)
@@ -53,7 +53,7 @@
 	DATA_BLOB blob;
 	struct ClearToken result_ct;
 
-	char *s = strdup(string);
+	char *s = SMB_STRDUP(string);
 
 	char *t;
 
@@ -62,7 +62,7 @@
 		return False;
 	}
 
-	*cell = strdup(t);
+	*cell = SMB_STRDUP(t);
 
 	if ((t = strtok(NULL, "\n")) == NULL) {
 		DEBUG(10, ("strtok failed\n"));
Index: source/libsmb/clikrb5.c
===================================================================
--- source/libsmb/clikrb5.c	(revision 4289)
+++ source/libsmb/clikrb5.c	(working copy)
@@ -233,7 +233,7 @@
 		return -1;
 	}
 
-	sa = malloc( sizeof(struct sockaddr) * num_kdcs );
+	sa = SMB_MALLOC( sizeof(struct sockaddr) * num_kdcs );
 	if (!sa) {
 		DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
 		krb5_krbhst_free(ctx, hnd);
@@ -241,7 +241,7 @@
 		return -1;
 	}
 
-	*addr_pp = malloc(sizeof(struct sockaddr) * num_kdcs);
+	*addr_pp = SMB_MALLOC(sizeof(struct sockaddr) * num_kdcs);
 	memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs );
 
 	for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
Index: source/utils/net_rpc_samsync.c
===================================================================
--- source/utils/net_rpc_samsync.c	(revision 4289)
+++ source/utils/net_rpc_samsync.c	(working copy)
@@ -863,7 +863,7 @@
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	nt_members = talloc_zero(t, sizeof(char *) * delta->num_members);
+	nt_members = TALLOC_ZERO_ARRAY(t, char *, delta->num_members);
 
 	for (i=0; i<delta->num_members; i++) {
 		NTSTATUS nt_status;


More information about the samba-technical mailing list