svn commit: samba r25222 - in branches: SAMBA_3_2/source/lib
SAMBA_3_2/source/modules SAMBA_3_2_0/source/lib
SAMBA_3_2_0/source/modules
Michael Adam
ma at sernet.de
Fri Sep 21 09:02:02 GMT 2007
Hi Jeremy,
there are still a couple of callers of pull_ucs2 that explicitly
pass "-1" for dest_len. For example, I came across
winbindd_pam.c:append_info3_as_txt()
which calls unistr2_to_ascii() a couple of times like that
leading to a panic in pull_ucs2.
There might be more. I start looking into that now.
Cheers, Michael
On Mi, Sep 19, 2007 at 09:40:41 +0000, jra at samba.org wrote:
> Author: jra
> Date: 2007-09-19 09:40:40 +0000 (Wed, 19 Sep 2007)
> New Revision: 25222
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25222
>
> Log:
> Fix last assumptions that (size_t)-1 can be used
> as a special dest_len of sizeof(pstring).
> Jeremy.
>
> Modified:
> branches/SAMBA_3_2/source/lib/charcnv.c
> branches/SAMBA_3_2/source/modules/vfs_catia.c
> branches/SAMBA_3_2_0/source/lib/charcnv.c
> branches/SAMBA_3_2_0/source/modules/vfs_catia.c
>
>
> Changeset:
> Modified: branches/SAMBA_3_2/source/lib/charcnv.c
> ===================================================================
> --- branches/SAMBA_3_2/source/lib/charcnv.c 2007-09-19 01:59:06 UTC (rev 25221)
> +++ branches/SAMBA_3_2/source/lib/charcnv.c 2007-09-19 09:40:40 UTC (rev 25222)
> @@ -745,7 +745,7 @@
>
> size = push_ucs2_allocate(&buffer, src);
> if (size == (size_t)-1) {
> - smb_panic("failed to create UCS2 buffer");
> + return 0;
> }
> if (!strupper_w(buffer) && (dest == src)) {
> free(buffer);
> @@ -1068,8 +1068,11 @@
> {
> size_t ret;
>
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("pull_ascii - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_TERMINATE) {
> if (src_len == (size_t)-1) {
> @@ -1213,7 +1216,7 @@
> * </dl>
> *
> * @param dest_len is the maximum length allowed in the
> - * destination. If dest_len is -1 then no maxiumum is used.
> + * destination.
> **/
>
> size_t push_ucs2(const void *base_ptr, void *dest, const char *src, size_t dest_len, int flags)
> @@ -1222,9 +1225,11 @@
> size_t src_len;
> size_t ret;
>
> - /* treat a pstring as "unlimited" length */
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_ucs2 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_TERMINATE)
> src_len = (size_t)-1;
> @@ -1315,23 +1320,33 @@
>
> static size_t push_utf8(void *dest, const char *src, size_t dest_len, int flags)
> {
> - size_t src_len = strlen(src);
> - pstring tmpbuf;
> + size_t src_len = 0;
> + size_t ret;
> + char *tmpbuf = NULL;
>
> - /* treat a pstring as "unlimited" length */
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_utf8 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_UPPER) {
> - pstrcpy(tmpbuf, src);
> - strupper_m(tmpbuf);
> + tmpbuf = strdup_upper(src);
> + if (!tmpbuf) {
> + return 0;
> + }
> src = tmpbuf;
> + src_len = strlen(src);
> }
>
> - if (flags & STR_TERMINATE)
> + src_len = strlen(src);
> + if (flags & STR_TERMINATE) {
> src_len++;
> + }
>
> - return convert_string(CH_UNIX, CH_UTF8, src, src_len, dest, dest_len, True);
> + ret = convert_string(CH_UNIX, CH_UTF8, src, src_len, dest, dest_len, True);
> + SAFE_FREE(tmpbuf);
> + return ret;
> }
>
> size_t push_utf8_fstring(void *dest, const char *src)
> @@ -1390,8 +1405,11 @@
> return 0;
> }
>
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_utf8 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (ucs2_align(base_ptr, src, flags)) {
> src = (const void *)((const char *)src + 1);
>
> Modified: branches/SAMBA_3_2/source/modules/vfs_catia.c
> ===================================================================
> --- branches/SAMBA_3_2/source/modules/vfs_catia.c 2007-09-19 01:59:06 UTC (rev 25221)
> +++ branches/SAMBA_3_2/source/modules/vfs_catia.c 2007-09-19 09:40:40 UTC (rev 25222)
> @@ -39,7 +39,7 @@
> for (;*ptr;ptr++)
> if (*ptr==old) *ptr=newc;
>
> - pull_ucs2(NULL, s, tmpbuf, -1, sizeof(tmpbuf), STR_TERMINATE);
> + pull_ucs2(NULL, s, tmpbuf, sizeof(pstring), sizeof(tmpbuf), STR_TERMINATE);
> }
>
> static void from_unix(char *s)
>
> Modified: branches/SAMBA_3_2_0/source/lib/charcnv.c
> ===================================================================
> --- branches/SAMBA_3_2_0/source/lib/charcnv.c 2007-09-19 01:59:06 UTC (rev 25221)
> +++ branches/SAMBA_3_2_0/source/lib/charcnv.c 2007-09-19 09:40:40 UTC (rev 25222)
> @@ -745,7 +745,7 @@
>
> size = push_ucs2_allocate(&buffer, src);
> if (size == (size_t)-1) {
> - smb_panic("failed to create UCS2 buffer");
> + return 0;
> }
> if (!strupper_w(buffer) && (dest == src)) {
> free(buffer);
> @@ -1068,8 +1068,11 @@
> {
> size_t ret;
>
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("pull_ascii - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_TERMINATE) {
> if (src_len == (size_t)-1) {
> @@ -1213,7 +1216,7 @@
> * </dl>
> *
> * @param dest_len is the maximum length allowed in the
> - * destination. If dest_len is -1 then no maxiumum is used.
> + * destination.
> **/
>
> size_t push_ucs2(const void *base_ptr, void *dest, const char *src, size_t dest_len, int flags)
> @@ -1222,9 +1225,11 @@
> size_t src_len;
> size_t ret;
>
> - /* treat a pstring as "unlimited" length */
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_ucs2 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_TERMINATE)
> src_len = (size_t)-1;
> @@ -1315,23 +1320,33 @@
>
> static size_t push_utf8(void *dest, const char *src, size_t dest_len, int flags)
> {
> - size_t src_len = strlen(src);
> - pstring tmpbuf;
> + size_t src_len = 0;
> + size_t ret;
> + char *tmpbuf = NULL;
>
> - /* treat a pstring as "unlimited" length */
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_utf8 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (flags & STR_UPPER) {
> - pstrcpy(tmpbuf, src);
> - strupper_m(tmpbuf);
> + tmpbuf = strdup_upper(src);
> + if (!tmpbuf) {
> + return 0;
> + }
> src = tmpbuf;
> + src_len = strlen(src);
> }
>
> - if (flags & STR_TERMINATE)
> + src_len = strlen(src);
> + if (flags & STR_TERMINATE) {
> src_len++;
> + }
>
> - return convert_string(CH_UNIX, CH_UTF8, src, src_len, dest, dest_len, True);
> + ret = convert_string(CH_UNIX, CH_UTF8, src, src_len, dest, dest_len, True);
> + SAFE_FREE(tmpbuf);
> + return ret;
> }
>
> size_t push_utf8_fstring(void *dest, const char *src)
> @@ -1390,8 +1405,11 @@
> return 0;
> }
>
> - if (dest_len == (size_t)-1)
> - dest_len = sizeof(pstring);
> + if (dest_len == (size_t)-1) {
> + /* No longer allow dest_len of -1. */
> + smb_panic("push_utf8 - invalid dest_len of -1");
> + return 0;
> + }
>
> if (ucs2_align(base_ptr, src, flags)) {
> src = (const void *)((const char *)src + 1);
>
> Modified: branches/SAMBA_3_2_0/source/modules/vfs_catia.c
> ===================================================================
> --- branches/SAMBA_3_2_0/source/modules/vfs_catia.c 2007-09-19 01:59:06 UTC (rev 25221)
> +++ branches/SAMBA_3_2_0/source/modules/vfs_catia.c 2007-09-19 09:40:40 UTC (rev 25222)
> @@ -39,7 +39,7 @@
> for (;*ptr;ptr++)
> if (*ptr==old) *ptr=newc;
>
> - pull_ucs2(NULL, s, tmpbuf, -1, sizeof(tmpbuf), STR_TERMINATE);
> + pull_ucs2(NULL, s, tmpbuf, sizeof(pstring), sizeof(tmpbuf), STR_TERMINATE);
> }
>
> static void from_unix(char *s)
>
--
i.A. Michael Adam
--
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
More information about the samba-technical
mailing list