[PATCH] Array out of bound access
Jeremy Allison
jra at samba.org
Mon Nov 30 20:23:33 UTC 2015
On Wed, Nov 25, 2015 at 12:46:40PM +0100, Andreas Schneider wrote:
> On Wednesday 25 November 2015 12:24:04 Andreas Schneider wrote:
> > Hi,
> >
> > gcc 5.1.1 is complaining:
> >
> > lib/util/idtree.c:184:15: error: array subscript is above array bounds
> >
> > attached is a patch addressing the issue.
> >
> >
> > Review and puth much appreciated!
>
> A second place with the same gcc error ...
Took me a while to go through the idtree code :-).
But both LGTM - pushed !
> Andreas Schneider GPG-ID: CC014E3D
> Samba Team asn at samba.org
> www.samba.org
> From f3f7416c9f20405c993d542911f8873aa70abb46 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 25 Nov 2015 12:20:23 +0100
> Subject: [PATCH 1/2] lib: Fix an array subscript is above array bounds error
>
> gcc 5.1.1 complains with:
> lib/util/idtree.c:184:15: error: array subscript is above array bounds
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> lib/util/idtree.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/lib/util/idtree.c b/lib/util/idtree.c
> index 2104c74..e2cfcc5 100644
> --- a/lib/util/idtree.c
> +++ b/lib/util/idtree.c
> @@ -181,8 +181,13 @@ restart:
> */
> n = id;
> while (p->bitmap == IDR_FULL) {
> - if (!(p = pa[++l]))
> + if (l >= MAX_LEVEL) {
> break;
> + }
> + p = pa[++l];
> + if (p == NULL) {
> + break;
> + }
> n = n >> IDR_BITS;
> set_bit((n & IDR_MASK), p->bitmap);
> }
> --
> 2.6.3
>
>
> From 37eb60b3d9696a7412a70f8f52578743cc8d26cc Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 25 Nov 2015 12:35:59 +0100
> Subject: [PATCH 2/2] librpc: Fix a possible array out of bounds access
>
> Reported by gcc 5.1.1.
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> librpc/rpc/binding.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
> index f131d00..d0acd6e 100644
> --- a/librpc/rpc/binding.c
> +++ b/librpc/rpc/binding.c
> @@ -1226,7 +1226,7 @@ _PUBLIC_ enum dcerpc_transport_t dcerpc_transport_by_tower(const struct epm_towe
> continue;
> }
>
> - for (j = 0; j < transports[i].num_protocols; j++) {
> + for (j = 0; j < transports[i].num_protocols && j < MAX_PROTSEQ; j++) {
> if (transports[i].protseq[j] != tower->floors[j+2].lhs.protocol) {
> break;
> }
> --
> 2.6.3
>
More information about the samba-technical
mailing list