[PATCH] Fix a few CIDs
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jun 7 08:32:01 UTC 2016
Hi!
Review appreciated!
Thanks, Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag
-------------- next part --------------
From 45c31a533134f8bc49eb47ef54e67787257c750b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 09:58:24 +0200
Subject: [PATCH 1/3] lib: Fix CID 1362566 Dereference null return value
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/messages.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index ef8e83d..65e975e 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -393,6 +393,7 @@ struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
{
int ret;
+ char *lck_path;
TALLOC_FREE(msg_ctx->msg_dgm_ref);
@@ -400,9 +401,14 @@ NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
.pid = getpid(), .vnn = msg_ctx->id.vnn
};
+ lck_path = lock_path("msg.lock");
+ if (lck_path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
msg_ctx->msg_dgm_ref = messaging_dgm_ref(
msg_ctx, msg_ctx->event_ctx, &msg_ctx->id.unique_id,
- private_path("msg.sock"), lock_path("msg.lock"),
+ private_path("msg.sock"), lck_path,
messaging_recv_cb, msg_ctx, &ret);
if (msg_ctx->msg_dgm_ref == NULL) {
--
2.1.4
From 9de941f51330cb52ee3bec36ed7656fddac8e8f9 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 10:01:32 +0200
Subject: [PATCH 2/3] rpc_server: Fix CID 1362565 Improper use of negative
value
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/dcerpc_server.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 8c69351..36b3fd2 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -2077,8 +2077,16 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn)
if (transport == NCALRPC) {
uid_t uid;
gid_t gid;
+ int sock_fd;
- ret = getpeereid(socket_get_fd(srv_conn->socket), &uid, &gid);
+ sock_fd = socket_get_fd(srv_conn->socket);
+ if (sock_fd == -1) {
+ stream_terminate_connection(
+ srv_conn, "socket_get_fd failed\n");
+ return;
+ }
+
+ ret = getpeereid(sock_fd, &uid, &gid);
if (ret == -1) {
status = map_nt_error_from_unix_common(errno);
DEBUG(0, ("dcesrv_sock_accept: "
--
2.1.4
From 6801e5fb63c3f4656c2e136ae57af24bb6193bf4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 10:07:21 +0200
Subject: [PATCH 3/3] libsmb: Fix two CIDs for NULL dereference
This whole are is a known-to-be-broken mess, but this patch should fix
the immediate crash
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/libsmb/libsmb_server.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 06c0211..eb4d5d2 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -121,14 +121,20 @@ SMBC_call_auth_fn(TALLOC_CTX *ctx,
char **pp_username,
char **pp_password)
{
- fstring workgroup;
- fstring username;
- fstring password;
+ fstring workgroup = { 0 };
+ fstring username = { 0 };
+ fstring password = { 0 };
smbc_get_auth_data_with_context_fn auth_with_context_fn;
- strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
- strlcpy(username, *pp_username, sizeof(username));
- strlcpy(password, *pp_password, sizeof(password));
+ if (*pp_workgroup != NULL) {
+ strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
+ }
+ if (*pp_username != NULL) {
+ strlcpy(username, *pp_username, sizeof(username));
+ }
+ if (*pp_password != NULL) {
+ strlcpy(password, *pp_password, sizeof(password));
+ }
/* See if there's an authentication with context function provided */
auth_with_context_fn = smbc_getFunctionAuthDataWithContext(context);
--
2.1.4
More information about the samba-technical
mailing list