[PATCH] More coverity fixes
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Mar 4 04:20:24 MST 2015
On Wed, Mar 04, 2015 at 12:05:38PM +0100, David Disseldorp wrote:
> On Wed, 4 Mar 2015 10:57:24 +0100, Volker Lendecke wrote:
>
>
> > + len = strlcpy(state->addr.sun_path, sock,
> > + sizeof(state->addr.sun_path));
> > + if (len >= sizeof(state->addr.sun_path)) {
> > + tevent_req_error(req, ENAMETOOLONG);
> > + return tevent_req_post(req, ev);
> > + }
>
> This looks like a false positive from Coverity - a check is already
> done higher up:
> 73 if (strlen(sock) >= sizeof(state->addr.sun_path)) {
> 74 tevent_req_error(req, ENAMETOOLONG);
True, I did not see that. I've attached a new version that
removes the check further up, to me the strlcpy version is
cleaner.
> > - TDB_DATA data;
> > + TDB_DATA data, rdata;
> > int32_t cstatus = 0;
> >
> > data.dptr = (uint8_t*)&db_id;
> > @@ -1311,7 +1311,7 @@ char *ctdbd_dbpath(struct ctdbd_connection *conn,
> >
> > status = ctdbd_control(conn, CTDB_CURRENT_NODE,
> > CTDB_CONTROL_GETDBPATH, 0, 0, data,
> > - mem_ctx, &data, &cstatus);
> > + mem_ctx, &rdata, &cstatus);
>
> IIUC, this breaks the return value...
> 1320 return (char *)data.dptr;
Thanks! New version attached.
Volker
>
> Cheers, David
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 1ab8f9222afb2f5e15f47334aa005335e75dc8c1 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 09:38:52 +0100
Subject: [PATCH 01/17] lib: Fix CID 1128552 Buffer not null terminated
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/ctdb_conn.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c
index a54e83d..4e1b3e5 100644
--- a/source3/lib/ctdb_conn.c
+++ b/source3/lib/ctdb_conn.c
@@ -58,6 +58,7 @@ struct tevent_req *ctdb_conn_init_send(TALLOC_CTX *mem_ctx,
{
struct tevent_req *req, *subreq;
struct ctdb_conn_init_state *state;
+ size_t len;
req = tevent_req_create(mem_ctx, &state, struct ctdb_conn_init_state);
if (req == NULL) {
@@ -69,11 +70,6 @@ struct tevent_req *ctdb_conn_init_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (strlen(sock) >= sizeof(state->addr.sun_path)) {
- tevent_req_error(req, ENAMETOOLONG);
- return tevent_req_post(req, ev);
- }
-
state->conn = talloc(state, struct ctdb_conn);
if (tevent_req_nomem(state->conn, req)) {
return tevent_req_post(req, ev);
@@ -93,7 +89,13 @@ struct tevent_req *ctdb_conn_init_send(TALLOC_CTX *mem_ctx,
talloc_set_destructor(state->conn, ctdb_conn_destructor);
state->addr.sun_family = AF_UNIX;
- strncpy(state->addr.sun_path, sock, sizeof(state->addr.sun_path));
+
+ len = strlcpy(state->addr.sun_path, sock,
+ sizeof(state->addr.sun_path));
+ if (len >= sizeof(state->addr.sun_path)) {
+ tevent_req_error(req, ENAMETOOLONG);
+ return tevent_req_post(req, ev);
+ }
subreq = async_connect_send(state, ev, state->conn->fd,
(struct sockaddr *)&state->addr,
--
1.9.1
From 29408b087dad2b91921458739b9bef866487b2a8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 09:43:09 +0100
Subject: [PATCH 02/17] Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/ctdbd_conn.c | 8 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 98 ++++++++++++-------------
2 files changed, 52 insertions(+), 54 deletions(-)
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
index 6e25769..3cedf7e 100644
--- a/source3/lib/ctdbd_conn.c
+++ b/source3/lib/ctdbd_conn.c
@@ -697,7 +697,7 @@ static NTSTATUS ctdb_handle_message(struct messaging_context *msg_ctx,
}
if (!ctdb_is_our_srvid(conn, msg->srvid)) {
- DEBUG(0,("Got unexpected message with srvid=%llu\n",
+ DEBUG(0,("Got unexpected message with srvid=%llu\n",
(unsigned long long)msg->srvid));
return NT_STATUS_OK;
}
@@ -1310,7 +1310,7 @@ char *ctdbd_dbpath(struct ctdbd_connection *conn,
data.dsize = sizeof(db_id);
status = ctdbd_control(conn, CTDB_CURRENT_NODE,
- CTDB_CONTROL_GETDBPATH, 0, 0, data,
+ CTDB_CONTROL_GETDBPATH, 0, 0, data,
mem_ctx, &data, &cstatus);
if (!NT_STATUS_IS_OK(status) || cstatus != 0) {
DEBUG(0,(__location__ " ctdb_control for getdbpath failed\n"));
@@ -1360,7 +1360,7 @@ NTSTATUS ctdbd_db_attach(struct ctdbd_connection *conn,
data.dsize = sizeof(*db_id);
status = ctdbd_control(conn, CTDB_CURRENT_NODE,
- CTDB_CONTROL_ENABLE_SEQNUM, 0, 0, data,
+ CTDB_CONTROL_ENABLE_SEQNUM, 0, 0, data,
NULL, NULL, &cstatus);
if (!NT_STATUS_IS_OK(status) || cstatus != 0) {
DEBUG(0,(__location__ " ctdb_control for enable seqnum "
@@ -1703,7 +1703,7 @@ NTSTATUS ctdbd_register_ips(struct ctdbd_connection *conn,
* can send an extra ack to trigger a reset for our client, so it
* immediately reconnects
*/
- return ctdbd_control(conn, CTDB_CURRENT_NODE,
+ return ctdbd_control(conn, CTDB_CURRENT_NODE,
CTDB_CONTROL_TCP_CLIENT, 0,
CTDB_CTRL_FLAG_NOREPLY, data, NULL, NULL, NULL);
}
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 9dfd7a9..3cda93dd 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -397,7 +397,7 @@ static WERROR get_and_verify_access_check(TALLOC_CTX *sub_ctx,
struct dom_sid *access_sid = NULL;
struct dom_sid *caller_sid = NULL;
-
+
/* This one should not be freed */
const AlgorithmIdentifier *alg;
@@ -532,16 +532,16 @@ static WERROR get_and_verify_access_check(TALLOC_CTX *sub_ctx,
/* Never reached normally as we filtered at the switch / case level */
return WERR_INVALID_DATA;
}
-
+
caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
-
+
if (!dom_sid_equal(caller_sid, access_sid)) {
return WERR_INVALID_ACCESS;
}
return WERR_OK;
}
-/*
+/*
* We have some data, such as saved website or IMAP passwords that the
* client has in profile on-disk. This needs to be decrypted. This
* version gives the server the data over the network (protected by
@@ -572,7 +572,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
DATA_BLOB *uncrypted_data = NULL;
NTSTATUS status;
uint32_t requested_version;
-
+
blob.data = r->in.data_in;
blob.length = r->in.data_in_len;
@@ -580,7 +580,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
return WERR_INVALID_PARAM;
}
- /*
+ /*
* We check for the version here, so we can actually print the
* message as we are unlikely to parse it with NDR.
*/
@@ -590,7 +590,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
DEBUG(1, ("Request for unknown BackupKey sub-protocol %d\n", requested_version));
return WERR_INVALID_PARAMETER;
}
-
+
ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &uncrypt_request,
(ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_wrapped);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
@@ -729,7 +729,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
return WERR_INVALID_DATA;
}
- /*
+ /*
* Confirm that the caller is permitted to
* read this particular data. Because one key
* pair is used per domain, the caller could
@@ -737,7 +737,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
* would otherwise be able to read the
* passwords.
*/
-
+
werr = get_and_verify_access_check(mem_ctx, 3,
uncrypted_secretv3.payload_key,
uncrypt_request.access_check,
@@ -816,13 +816,13 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx,
return WERR_INTERNAL_ERROR;
}
- /*
+ /*
* Unlike Heimdal's RSA_generate_key_ex(), this generates a
* 2048 bit key 100% of the time. The heimdal code had a ~1/8
* chance of doing so, chewing vast quantities of computation
* and entropy in the process.
*/
-
+
ret = gnutls_x509_privkey_generate(gtls_key, GNUTLS_PK_RSA, bits, 0);
if (ret != 0) {
werr = WERR_INTERNAL_ERROR;
@@ -844,7 +844,7 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx,
}
p = p0;
- /*
+ /*
* Only this GnuTLS export function correctly exports the key,
* we can't use gnutls_rsa_params_export_raw() because while
* it appears to be fixed in more recent versions, in the
@@ -852,7 +852,7 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx,
* exports one of the key parameters (qInv). Additionally, we
* would have to work around subtle differences in big number
* representations.
- *
+ *
* We need access to the RSA parameters directly (in the
* parameter RSA **rsa) as the caller has to manually encode
* them in a non-standard data structure.
@@ -1267,7 +1267,7 @@ static WERROR bkrp_retrieve_client_wrap_key(struct dcesrv_call_state *dce_call,
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
char *dn = talloc_asprintf(mem_ctx, "CN=%s",
lpcfg_realm(lp_ctx));
-
+
WERROR werr = generate_bkrp_cert(mem_ctx, dce_call, ldb_ctx, dn);
if (!W_ERROR_IS_OK(werr)) {
return WERR_INVALID_PARAMETER;
@@ -1276,7 +1276,7 @@ static WERROR bkrp_retrieve_client_wrap_key(struct dcesrv_call_state *dce_call,
ldb_ctx,
"BCKUPKEY_PREFERRED",
&lsa_secret);
-
+
if (!NT_STATUS_IS_OK(status)) {
/* Ok we really don't manage to get this certs ...*/
DEBUG(2, ("Unable to locate BCKUPKEY_PREFERRED after cert generation\n"));
@@ -1345,7 +1345,7 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
NTSTATUS status;
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
-
+
generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
@@ -1366,20 +1366,20 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
TALLOC_FREE(frame);
return WERR_INTERNAL_ERROR;
}
-
+
status = GUID_to_ndr_blob(&guid, frame, &guid_blob);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to save the secret %s\n", secret_name));
TALLOC_FREE(frame);
}
-
+
status = set_lsa_secret(frame, ldb_ctx, "BCKUPKEY_P", &guid_blob);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to save the secret %s\n", secret_name));
TALLOC_FREE(frame);
return WERR_INTERNAL_ERROR;
}
-
+
TALLOC_FREE(frame);
return WERR_OK;
@@ -1412,7 +1412,7 @@ static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_c
if (secret_name == NULL) {
return WERR_NOMEM;
}
-
+
status = get_lsa_secret(mem_ctx, ldb_ctx, secret_name, &lsa_secret);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Error while fetching secret %s\n", secret_name));
@@ -1501,7 +1501,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
if (decrypt_request.magic != BACKUPKEY_SERVER_WRAP_VERSION) {
return WERR_INVALID_PARAM;
}
-
+
werr = bkrp_do_retrieve_server_wrap_key(mem_ctx, ldb_ctx, &server_key,
&decrypt_request.guid);
if (!W_ERROR_IS_OK(werr)) {
@@ -1509,12 +1509,12 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
}
dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key));
-
+
dump_data_pw("r2: \n", decrypt_request.r2, sizeof(decrypt_request.r2));
-
+
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
decrypt_request.r2, sizeof(decrypt_request.r2),
@@ -1524,10 +1524,10 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
/* rc4 decrypt sid and secret using sym key */
symkey_blob = data_blob_const(symkey, sizeof(symkey));
-
+
encrypted_blob = data_blob_const(decrypt_request.rc4encryptedpayload,
decrypt_request.ciphertext_length);
-
+
arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob);
ndr_err = ndr_pull_struct_blob(&encrypted_blob, mem_ctx, &rc4payload,
@@ -1539,12 +1539,12 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
if (decrypt_request.payload_length != rc4payload.secret_data.length) {
return WERR_INVALID_PARAM;
}
-
+
dump_data_pw("r3: \n", rc4payload.r3, sizeof(rc4payload.r3));
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
rc4payload.r3, sizeof(rc4payload.r3),
@@ -1569,7 +1569,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
dump_data_pw("mac: \n", mac, sizeof(mac));
dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
-
+
if (memcmp(mac, rc4payload.mac, sizeof(mac)) != 0) {
return WERR_INVALID_ACCESS;
}
@@ -1582,14 +1582,14 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
*(r->out.data_out) = rc4payload.secret_data.data;
*(r->out.data_out_len) = rc4payload.secret_data.length;
-
+
return WERR_OK;
}
-/*
+/*
* For BACKUPKEY_RESTORE_GUID we need to check the first 4 bytes to
* determine what type of restore is wanted.
- *
+ *
* See MS-BKRP 3.1.4.1.4 BACKUPKEY_RESTORE_GUID point 1.
*/
@@ -1603,11 +1603,11 @@ static WERROR bkrp_generic_decrypt_data(struct dcesrv_call_state *dce_call, TALL
if (IVAL(r->in.data_in, 0) == BACKUPKEY_SERVER_WRAP_VERSION) {
return bkrp_server_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
}
-
+
return bkrp_client_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
}
-
-/*
+
+/*
* We have some data, such as saved website or IMAP passwords that the
* client would like to put into the profile on-disk. This needs to
* be encrypted. This version gives the server the data over the
@@ -1616,7 +1616,7 @@ static WERROR bkrp_generic_decrypt_data(struct dcesrv_call_state *dce_call, TALL
*
* The data is NOT stored in the LSA, but a key to encrypt the data
* will be stored. There is only one active encryption key per domain,
- * it is pointed at with G$BCKUPKEY_P in the LSA secrets store.
+ * it is pointed at with G$BCKUPKEY_P in the LSA secrets store.
*
* The potentially multiple valid decryptiong keys (and the encryption
* key) are in turn stored in the LSA secrets store as
@@ -1639,7 +1639,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
enum ndr_err_code ndr_err;
struct bkrp_server_side_wrapped server_side_wrapped;
struct GUID guid;
-
+
if (r->in.data_in_len == 0 || r->in.data_in == NULL) {
return WERR_INVALID_PARAM;
}
@@ -1647,11 +1647,11 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
werr = bkrp_do_retrieve_default_server_wrap_key(mem_ctx,
ldb_ctx, &server_key,
&guid);
-
+
if (!W_ERROR_IS_OK(werr)) {
if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) {
/* Generate the server wrap key since one wasn't found */
- werr = generate_bkrp_server_wrap_key(mem_ctx,
+ werr = generate_bkrp_server_wrap_key(mem_ctx,
ldb_ctx);
if (!W_ERROR_IS_OK(werr)) {
return WERR_INVALID_PARAMETER;
@@ -1660,7 +1660,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
ldb_ctx,
&server_key,
&guid);
-
+
if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) {
/* Ok we really don't manage to get this secret ...*/
return WERR_FILE_NOT_FOUND;
@@ -1676,15 +1676,15 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
caller_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key));
-
- /*
+
+ /*
* This is the key derivation step, so that the HMAC and RC4
* operations over the user-supplied data are not able to
* disclose the master key. By using random data, the symkey
* and mackey values are unique for this operation, and
* discovering these (by reversing the RC4 over the
* attacker-controlled data) does not return something able to
- * be used to decyrpt the encrypted data of other users
+ * be used to decyrpt the encrypted data of other users
*/
generate_random_buffer(server_side_wrapped.r2, sizeof(server_side_wrapped.r2));
@@ -1697,7 +1697,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
server_side_wrapped.r2, sizeof(server_side_wrapped.r2),
@@ -1707,7 +1707,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
rc4payload.r3, sizeof(rc4payload.r3),
@@ -1723,7 +1723,6 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
rc4payload.secret_data.data = r->in.data_in;
rc4payload.secret_data.length = r->in.data_in_len;
-
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx, mackey, 20, EVP_sha1(), NULL);
@@ -1735,7 +1734,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
HMAC_CTX_cleanup(&ctx);
dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
-
+
rc4payload.sid = *caller_sid;
ndr_err = ndr_push_struct_blob(&encrypted_blob, mem_ctx, &rc4payload,
@@ -1754,17 +1753,16 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
server_side_wrapped.ciphertext_length = encrypted_blob.length;
server_side_wrapped.guid = guid;
server_side_wrapped.rc4encryptedpayload = encrypted_blob.data;
-
+
ndr_err = ndr_push_struct_blob(&server_wrapped_blob, mem_ctx, &server_side_wrapped,
(ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return WERR_INTERNAL_ERROR;
}
-
*(r->out.data_out) = server_wrapped_blob.data;
*(r->out.data_out_len) = server_wrapped_blob.length;
-
+
return WERR_OK;
}
--
1.9.1
From 7edb8f9b628f332261ec00f6da6188b749b2eb7b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 09:43:19 +0100
Subject: [PATCH 03/17] lib: Fix CID 1128561 Pointer to local outside scope
This is not strictly a bug, but it is confusing enough to justify a small patch
I guess.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/ctdbd_conn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
index 3cedf7e..204aba5 100644
--- a/source3/lib/ctdbd_conn.c
+++ b/source3/lib/ctdbd_conn.c
@@ -1304,6 +1304,7 @@ char *ctdbd_dbpath(struct ctdbd_connection *conn,
{
NTSTATUS status;
TDB_DATA data;
+ TDB_DATA rdata = {0};
int32_t cstatus = 0;
data.dptr = (uint8_t*)&db_id;
@@ -1311,13 +1312,13 @@ char *ctdbd_dbpath(struct ctdbd_connection *conn,
status = ctdbd_control(conn, CTDB_CURRENT_NODE,
CTDB_CONTROL_GETDBPATH, 0, 0, data,
- mem_ctx, &data, &cstatus);
+ mem_ctx, &rdata, &cstatus);
if (!NT_STATUS_IS_OK(status) || cstatus != 0) {
DEBUG(0,(__location__ " ctdb_control for getdbpath failed\n"));
return NULL;
}
- return (char *)data.dptr;
+ return (char *)rdata.dptr;
}
/*
--
1.9.1
From d88ad575060d90e89fe4395f907c2570a16e48b6 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 09:49:18 +0100
Subject: [PATCH 04/17] lib: Fix CID 1273056 Negative array index read
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/msghdr.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/source3/lib/msghdr.c b/source3/lib/msghdr.c
index 5d771e8..de0eed4 100644
--- a/source3/lib/msghdr.c
+++ b/source3/lib/msghdr.c
@@ -70,13 +70,18 @@ ssize_t msghdr_copy(struct msghdr_buf *msg, size_t msgsize,
const struct iovec *iov, int iovcnt,
const int *fds, size_t num_fds)
{
- size_t fd_len, iov_len, needed, bufsize;
+ ssize_t fd_len;
+ size_t iov_len, needed, bufsize;
bufsize = (msgsize > offsetof(struct msghdr_buf, buf)) ?
msgsize - offsetof(struct msghdr_buf, buf) : 0;
fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);
+ if (fd_len == -1) {
+ return -1;
+ }
+
if (bufsize >= fd_len) {
bufsize -= fd_len;
} else {
--
1.9.1
From 0fd7c7b7f8f6a128099bd53139417e8562ecc27d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:00:29 +0100
Subject: [PATCH 05/17] lib: Fix CID 1273292 Uninitialized pointer read
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/ctdbd_conn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
index 204aba5..18b877c 100644
--- a/source3/lib/ctdbd_conn.c
+++ b/source3/lib/ctdbd_conn.c
@@ -1222,7 +1222,7 @@ bool ctdb_serverids_exist(struct ctdbd_connection *conn,
if (hdr->operation != CTDB_REPLY_CONTROL) {
DEBUG(1, ("Received invalid reply %u\n",
- (unsigned)reply->hdr.operation));
+ (unsigned)hdr->operation));
goto fail;
}
reply = (struct ctdb_reply_control *)hdr;
--
1.9.1
From 93289971f0d3ba447008aa16debd67df9abbccb0 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:07:01 +0100
Subject: [PATCH 06/17] libads: ZERO_STRUCT->initializer
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/libads/kerberos_keytab.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ae3d80e39..7c686b0 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -743,16 +743,14 @@ done:
TALLOC_FREE(frame);
{
- krb5_keytab_entry zero_kt_entry;
- ZERO_STRUCT(zero_kt_entry);
+ krb5_keytab_entry zero_kt_entry = {0};
if (memcmp(&zero_kt_entry, &kt_entry,
sizeof(krb5_keytab_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
}
{
- krb5_kt_cursor zero_csr;
- ZERO_STRUCT(zero_csr);
+ krb5_kt_cursor zero_csr = {0};
if ((memcmp(&cursor, &zero_csr,
sizeof(krb5_kt_cursor)) != 0) && keytab) {
krb5_kt_end_seq_get(context, keytab, &cursor);
--
1.9.1
From a7331a7947e7f1f6fd3e459f68e76fac59342385 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:09:18 +0100
Subject: [PATCH 07/17] libads: Fix CID 1273306 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/libads/kerberos_keytab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 7c686b0..ed5f19a 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_kt_cursor cursor;
- krb5_keytab_entry kt_entry;
+ krb5_keytab_entry kt_entry = {0};
krb5_kvno kvno;
size_t found = 0;
char *sam_account_name, *upn;
--
1.9.1
From ea5a5adfadba572a49a4759d774797e023e870fa Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:09:51 +0100
Subject: [PATCH 08/17] libads: Fix CID 1273305 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/libads/kerberos_keytab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ed5f19a..fe0962e 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
krb5_error_code ret = 0;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
- krb5_kt_cursor cursor;
+ krb5_kt_cursor cursor = {0};
krb5_keytab_entry kt_entry = {0};
krb5_kvno kvno;
size_t found = 0;
--
1.9.1
From 745ada44f60c9de78e1503d3de99bdff5ecdec18 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:22:48 +0100
Subject: [PATCH 09/17] winbind: Fix CID 1273295 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/idmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 841f710..70f4e02 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -172,7 +172,8 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
NTSTATUS status;
char *config_option = NULL;
const char *range;
- unsigned low_id, high_id;
+ unsigned low_id = 0;
+ unsigned high_id;
result = talloc_zero(mem_ctx, struct idmap_domain);
if (result == NULL) {
--
1.9.1
From d859105acc105f8bd89e9ed9cb11a5ccf214998d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:28:20 +0100
Subject: [PATCH 10/17] winbind: Fix CID 1273294 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/idmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 70f4e02..1e2feb9 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -173,7 +173,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
char *config_option = NULL;
const char *range;
unsigned low_id = 0;
- unsigned high_id;
+ unsigned high_id = 0;
result = talloc_zero(mem_ctx, struct idmap_domain);
if (result == NULL) {
--
1.9.1
From 2778bbd1f62d863ee79aa8d7beb79d5e8af88ef3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:29:53 +0100
Subject: [PATCH 11/17] backupkey: Slightly simplify
bkrp_do_retrieve_server_wrap_key
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 3cda93dd..0518d2e 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1417,7 +1417,8 @@ static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_c
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Error while fetching secret %s\n", secret_name));
return WERR_INVALID_DATA;
- } else if (guid_binary.length == 0) {
+ }
+ if (guid_binary.length == 0) {
/* RODC case, we do not have secrets locally */
DEBUG(1, ("Unable to fetch value for secret %s, are we an undetected RODC?\n",
secret_name));
--
1.9.1
From e3dd9ffa6e1194ef1d5d3a10f4e17370e653bde4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:33:38 +0100
Subject: [PATCH 12/17] backupkey: Simplify get_lsa_secret
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 0518d2e..a001c55 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -219,9 +219,11 @@ static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx,
if (ret != LDB_SUCCESS) {
talloc_free(tmp_mem);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
- } else if (res->count == 0) {
+ }
+ if (res->count == 0) {
return NT_STATUS_RESOURCE_NAME_NOT_FOUND;
- } else if (res->count > 1) {
+ }
+ if (res->count > 1) {
DEBUG(2, ("Secret %s collision\n", name));
talloc_free(tmp_mem);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
--
1.9.1
From f99300c98b16da318ab08b763e40ee4bbacb4788 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:33:57 +0100
Subject: [PATCH 13/17] backupkey: Fix a memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index a001c55..7757533 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -221,6 +221,7 @@ static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (res->count == 0) {
+ talloc_free(tmp_mem);
return NT_STATUS_RESOURCE_NAME_NOT_FOUND;
}
if (res->count > 1) {
--
1.9.1
From 1c9b21140d6fc9080522fc3f0d95d5fdf926924d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:35:47 +0100
Subject: [PATCH 14/17] backupkey: Fix CID 1273293 Uninitialized scalar
variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 7757533..52217ee 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1421,7 +1421,7 @@ static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_c
DEBUG(10, ("Error while fetching secret %s\n", secret_name));
return WERR_INVALID_DATA;
}
- if (guid_binary.length == 0) {
+ if (lsa_secret.length == 0) {
/* RODC case, we do not have secrets locally */
DEBUG(1, ("Unable to fetch value for secret %s, are we an undetected RODC?\n",
secret_name));
--
1.9.1
From f1244873afa4c808cba1743dba33437389c6fccc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:36:40 +0100
Subject: [PATCH 15/17] backupkey: Remove an unused variable
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 52217ee..04308bc 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1398,7 +1398,7 @@ static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_c
struct GUID *guid)
{
NTSTATUS status;
- DATA_BLOB guid_binary, lsa_secret;
+ DATA_BLOB lsa_secret;
char *secret_name;
char *guid_string;
enum ndr_err_code ndr_err;
--
1.9.1
From 704324492d1e1109d7e73cf58d3316c2a9e1d6f2 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:47:03 +0100
Subject: [PATCH 16/17] rpc_server: Fix CID 1035534 Uninitialized scalar
variable
I believe this can't happen, but better be safe than sorry
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpc_server/srv_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fecbae2..74e00e5 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -937,7 +937,7 @@ err:
static bool api_pipe_alter_context(struct pipes_struct *p,
struct ncacn_packet *pkt)
{
- struct dcerpc_auth auth_info;
+ struct dcerpc_auth auth_info = {0};
uint16 assoc_gid;
NTSTATUS status;
union dcerpc_payload u;
--
1.9.1
From 3ff7128a82cd45d5fef15e667442f925c3a2aa46 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 4 Mar 2015 10:47:03 +0100
Subject: [PATCH 17/17] rpc_server: Fix CID 1035535 Uninitialized scalar
variable
I believe this can't happen, but better be safe than sorry
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpc_server/srv_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 74e00e5..b2b7271 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -574,7 +574,7 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
static bool api_pipe_bind_req(struct pipes_struct *p,
struct ncacn_packet *pkt)
{
- struct dcerpc_auth auth_info;
+ struct dcerpc_auth auth_info = {0};
uint16 assoc_gid;
unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
NTSTATUS status;
--
1.9.1
More information about the samba-technical
mailing list