Uninitialized access in winbind (relatively minour issue)
kawasa_r at itg.hitachi.co.jp
kawasa_r at itg.hitachi.co.jp
Fri May 7 09:39:10 GMT 2004
Some potentially problematic codes are found in winbind daemon by applying
a tool. These problems are relatively minour, but we added some
initializations for safe.
Index: source/nsswitch/winbindd_group.c
===================================================================
RCS file: /cvs/samba-302/source/nsswitch/winbindd_group.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- samba-302/source/nsswitch/winbindd_group.c 15 Mar 2004 01:29:46 -0000 1.3
+++ samba-302/source/nsswitch/winbindd_group.c 17 Mar 2004 06:15:54 -0000 1.4
@@ -614,6 +614,9 @@
malloc(num_groups * sizeof(struct winbindd_gr))) == NULL)
return WINBINDD_ERROR;
+ memset(state->response.extra_data, 0,
+ num_groups * sizeof(struct winbindd_gr) );
+
state->response.data.num_entries = 0;
group_list = (struct winbindd_gr *)state->response.extra_data;
Index: source/nsswitch/winbindd_pam.c
===================================================================
RCS file: /cvs/samba-302/source/nsswitch/winbindd_pam.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- samba-302/source/nsswitch/winbindd_pam.c 16 Feb 2004 01:13:36 -0000 1.1
+++ samba-302/source/nsswitch/winbindd_pam.c 17 Mar 2004 06:16:31 -0000 1.2
@@ -48,6 +48,7 @@
prs_mem_free(&ps);
return NT_STATUS_NO_MEMORY;
}
+ memset( state->response.extra_data, 0, size );
prs_copy_all_data_out(state->response.extra_data, &ps);
state->response.length += size;
prs_mem_free(&ps);
Index: source/nsswitch/wb_client.c
===================================================================
RCS file: /cvs/samba-302/source/nsswitch/wb_client.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- samba-302/source/nsswitch/wb_client.c 16 Feb 2004 01:13:36 -0000 1.1
+++ samba-302/source/nsswitch/wb_client.c 17 Mar 2004 06:17:10 -0000 1.2
@@ -245,7 +245,7 @@
int result;
/* Call winbindd */
-
+ ZERO_STRUCT(request);
fstrcpy(request.data.username, user);
ZERO_STRUCT(response);
More information about the samba-technical
mailing list