[PATCH] Fix a few CIDs

Tue Jun 7 08:32:01 UTC 2016

Hi!

Review appreciated!

Thanks, Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag
-------------- next part --------------
From 45c31a533134f8bc49eb47ef54e67787257c750b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 09:58:24 +0200
Subject: [PATCH 1/3] lib: Fix CID 1362566 Dereference null return value

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/lib/messages.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index ef8e83d..65e975e 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -393,6 +393,7 @@ struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
 NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
 {
 	int ret;
+	char *lck_path;
 
 	TALLOC_FREE(msg_ctx->msg_dgm_ref);
 
@@ -400,9 +401,14 @@ NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
 		.pid = getpid(), .vnn = msg_ctx->id.vnn
 	};
 
+	lck_path = lock_path("msg.lock");
+	if (lck_path == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	msg_ctx->msg_dgm_ref = messaging_dgm_ref(
 		msg_ctx, msg_ctx->event_ctx, &msg_ctx->id.unique_id,
-		private_path("msg.sock"), lock_path("msg.lock"),
+		private_path("msg.sock"), lck_path,
 		messaging_recv_cb, msg_ctx, &ret);
 
 	if (msg_ctx->msg_dgm_ref == NULL) {
-- 
2.1.4


From 9de941f51330cb52ee3bec36ed7656fddac8e8f9 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 10:01:32 +0200
Subject: [PATCH 2/3] rpc_server: Fix CID 1362565 Improper use of negative
 value

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/rpc_server/dcerpc_server.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 8c69351..36b3fd2 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -2077,8 +2077,16 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn)
 	if (transport == NCALRPC) {
 		uid_t uid;
 		gid_t gid;
+		int sock_fd;
 
-		ret = getpeereid(socket_get_fd(srv_conn->socket), &uid, &gid);
+		sock_fd = socket_get_fd(srv_conn->socket);
+		if (sock_fd == -1) {
+			stream_terminate_connection(
+				srv_conn, "socket_get_fd failed\n");
+			return;
+		}
+
+		ret = getpeereid(sock_fd, &uid, &gid);
 		if (ret == -1) {
 			status = map_nt_error_from_unix_common(errno);
 			DEBUG(0, ("dcesrv_sock_accept: "
-- 
2.1.4


From 6801e5fb63c3f4656c2e136ae57af24bb6193bf4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 7 Jun 2016 10:07:21 +0200
Subject: [PATCH 3/3] libsmb: Fix two CIDs for NULL dereference

This whole are is a known-to-be-broken mess, but this patch should fix
the immediate crash

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/libsmb/libsmb_server.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 06c0211..eb4d5d2 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -121,14 +121,20 @@ SMBC_call_auth_fn(TALLOC_CTX *ctx,
                   char **pp_username,
                   char **pp_password)
 {
-	fstring workgroup;
-	fstring username;
-	fstring password;
+	fstring workgroup = { 0 };
+	fstring username = { 0 };
+	fstring password = { 0 };
         smbc_get_auth_data_with_context_fn auth_with_context_fn;
 
-	strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
-	strlcpy(username, *pp_username, sizeof(username));
-	strlcpy(password, *pp_password, sizeof(password));
+	if (*pp_workgroup != NULL) {
+		strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
+	}
+	if (*pp_username != NULL) {
+		strlcpy(username, *pp_username, sizeof(username));
+	}
+	if (*pp_password != NULL) {
+		strlcpy(password, *pp_password, sizeof(password));
+	}
 
         /* See if there's an authentication with context function provided */
         auth_with_context_fn = smbc_getFunctionAuthDataWithContext(context);
-- 
2.1.4

