[PATCH] Fix two new CIDs

Wed Feb 3 08:21:34 UTC 2016

Hi!

Review appreciated!

Thanks, Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 79344a30d5c60262aefe18274ea62918f855490c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 3 Feb 2016 09:10:46 +0100
Subject: [PATCH 1/2] smbd: Fix CID 1351216 Dereference null return value

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/smbd/smbXsrv_client.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c
index 87cc307..fa352aa 100644
--- a/source3/smbd/smbXsrv_client.c
+++ b/source3/smbd/smbXsrv_client.c
@@ -63,6 +63,9 @@ NTSTATUS smbXsrv_client_global_init(void)
 	 * This contains secret information like client keys!
 	 */
 	global_path = lock_path("smbXsrv_client_global.tdb");
+	if (global_path == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	db_ctx = db_open(NULL, global_path,
 			 0, /* hash_size */
-- 
1.7.9.5


From c47938a4b7a25e970836655f0821830c98735f42 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 3 Feb 2016 09:18:14 +0100
Subject: [PATCH 2/2] smbd: Fix CID 1351215 Improper use of negative value

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/smbd/smbXsrv_client.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c
index fa352aa..0e21fc6 100644
--- a/source3/smbd/smbXsrv_client.c
+++ b/source3/smbd/smbXsrv_client.c
@@ -290,14 +290,20 @@ NTSTATUS smb2srv_client_connection_pass(struct smbd_smb2_request *smb2req,
 	NTSTATUS status;
 	struct smbXsrv_connection_pass0 pass_info0;
 	struct smbXsrv_connection_passB pass_blob;
+	ssize_t reqlen;
 	struct iovec iov;
 
 	pass_info0.initial_connect_time = global->initial_connect_time;
 	pass_info0.client_guid = global->client_guid;
-	pass_info0.negotiate_request.length = iov_buflen(smb2req->in.vector,
-							 smb2req->in.vector_count);
+
+	reqlen = iov_buflen(smb2req->in.vector, smb2req->in.vector_count);
+	if (reqlen == -1) {
+		return NT_STATUS_INVALID_BUFFER_SIZE;
+	}
+
+	pass_info0.negotiate_request.length = reqlen;
 	pass_info0.negotiate_request.data = talloc_array(talloc_tos(), uint8_t,
-					pass_info0.negotiate_request.length);
+							 reqlen);
 	if (pass_info0.negotiate_request.data == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
-- 
1.7.9.5

