[PATCH] Fix a few CIDs

Michael Adam obnox at samba.org
Tue Jun 7 09:12:54 UTC 2016 

On 2016-06-07 at 10:32 +0200, Volker Lendecke wrote:
> Hi!
> 
> Review appreciated!

Reviewed by: me

just one cosmetic comment: The last commit message could
be polished a bit:
"This whole are is a known-to-be-broken mess"...

Feel free to push with a slight amendment.

Cheers - Michael



> From 45c31a533134f8bc49eb47ef54e67787257c750b Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 09:58:24 +0200
> Subject: [PATCH 1/3] lib: Fix CID 1362566 Dereference null return value
> 
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
>  source3/lib/messages.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/source3/lib/messages.c b/source3/lib/messages.c
> index ef8e83d..65e975e 100644
> --- a/source3/lib/messages.c
> +++ b/source3/lib/messages.c
> @@ -393,6 +393,7 @@ struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
>  NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
>  {
>  	int ret;
> +	char *lck_path;
>  
>  	TALLOC_FREE(msg_ctx->msg_dgm_ref);
>  
> @@ -400,9 +401,14 @@ NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
>  		.pid = getpid(), .vnn = msg_ctx->id.vnn
>  	};
>  
> +	lck_path = lock_path("msg.lock");
> +	if (lck_path == NULL) {
> +		return NT_STATUS_NO_MEMORY;
> +	}
> +
>  	msg_ctx->msg_dgm_ref = messaging_dgm_ref(
>  		msg_ctx, msg_ctx->event_ctx, &msg_ctx->id.unique_id,
> -		private_path("msg.sock"), lock_path("msg.lock"),
> +		private_path("msg.sock"), lck_path,
>  		messaging_recv_cb, msg_ctx, &ret);
>  
>  	if (msg_ctx->msg_dgm_ref == NULL) {
> -- 
> 2.1.4
> 
> 
> From 9de941f51330cb52ee3bec36ed7656fddac8e8f9 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 10:01:32 +0200
> Subject: [PATCH 2/3] rpc_server: Fix CID 1362565 Improper use of negative
>  value
> 
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
>  source4/rpc_server/dcerpc_server.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
> index 8c69351..36b3fd2 100644
> --- a/source4/rpc_server/dcerpc_server.c
> +++ b/source4/rpc_server/dcerpc_server.c
> @@ -2077,8 +2077,16 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn)
>  	if (transport == NCALRPC) {
>  		uid_t uid;
>  		gid_t gid;
> +		int sock_fd;
>  
> -		ret = getpeereid(socket_get_fd(srv_conn->socket), &uid, &gid);
> +		sock_fd = socket_get_fd(srv_conn->socket);
> +		if (sock_fd == -1) {
> +			stream_terminate_connection(
> +				srv_conn, "socket_get_fd failed\n");
> +			return;
> +		}
> +
> +		ret = getpeereid(sock_fd, &uid, &gid);
>  		if (ret == -1) {
>  			status = map_nt_error_from_unix_common(errno);
>  			DEBUG(0, ("dcesrv_sock_accept: "
> -- 
> 2.1.4
> 
> 
> From 6801e5fb63c3f4656c2e136ae57af24bb6193bf4 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 10:07:21 +0200
> Subject: [PATCH 3/3] libsmb: Fix two CIDs for NULL dereference
> 
> This whole are is a known-to-be-broken mess, but this patch should fix
> the immediate crash
> 
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
>  source3/libsmb/libsmb_server.c | 18 ++++++++++++------
>  1 file changed, 12 insertions(+), 6 deletions(-)
> 
> diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
> index 06c0211..eb4d5d2 100644
> --- a/source3/libsmb/libsmb_server.c
> +++ b/source3/libsmb/libsmb_server.c
> @@ -121,14 +121,20 @@ SMBC_call_auth_fn(TALLOC_CTX *ctx,
>                    char **pp_username,
>                    char **pp_password)
>  {
> -	fstring workgroup;
> -	fstring username;
> -	fstring password;
> +	fstring workgroup = { 0 };
> +	fstring username = { 0 };
> +	fstring password = { 0 };
>          smbc_get_auth_data_with_context_fn auth_with_context_fn;
>  
> -	strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
> -	strlcpy(username, *pp_username, sizeof(username));
> -	strlcpy(password, *pp_password, sizeof(password));
> +	if (*pp_workgroup != NULL) {
> +		strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
> +	}
> +	if (*pp_username != NULL) {
> +		strlcpy(username, *pp_username, sizeof(username));
> +	}
> +	if (*pp_password != NULL) {
> +		strlcpy(password, *pp_password, sizeof(password));
> +	}
>  
>          /* See if there's an authentication with context function provided */
>          auth_with_context_fn = smbc_getFunctionAuthDataWithContext(context);
> -- 
> 2.1.4
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160607/3d11ea1a/signature.sig>

More information about the samba-technical mailing list