[PATCH] Messaging improvements and fixes needed for auth logging

Thu Mar 23 15:36:02 UTC 2017

On Tue, Mar 21, 2017 at 07:48:16AM +0100, Volker Lendecke wrote:
> On Tue, Mar 21, 2017 at 11:59:45AM +1300, Andrew Bartlett via samba-technical wrote:
> > I'll amend the commit messages, but the patches in the series I posted
> > here are (essentially) the unit tests for the bug in the server_id
> > database, because it was adding the tests for the bindings that found
> > the bug.
> 
> Please make it obvious with two commits. First is the real bugfix,
> and second one would be the API change with a comment "make the API
> safer" or so. Then we can discuss the things separately.

Attached is what I had in mind with "First is the real bugfix".

Review appreciated!

Thanks,

Volker
-------------- next part --------------
>From db5ada80794dea4f93709f812b51645199f0776c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 23 Mar 2017 15:48:25 +0100
Subject: [PATCH] server_id_db: Protect against non-0-terminated data records

Bug found by Andrew Bartlett <abartlet at samba.org>

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 lib/util/server_id_db.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/util/server_id_db.c b/lib/util/server_id_db.c
index e0b8476..24db909 100644
--- a/lib/util/server_id_db.c
+++ b/lib/util/server_id_db.c
@@ -138,6 +138,7 @@ int server_id_db_prune_name(struct server_id_db *db, const char *name,
 	char idbuf[idbuf_len];
 	TDB_DATA key;
 	uint8_t *data;
+	size_t datalen;
 	char *ids, *id;
 	int ret;
 
@@ -156,6 +157,13 @@ int server_id_db_prune_name(struct server_id_db *db, const char *name,
 		return ret;
 	}
 
+	datalen = talloc_get_size(data);
+	if ((datalen == 0) || (data[datalen-1] != '\0')) {
+		tdb_chainunlock(tdb, key);
+		TALLOC_FREE(data);
+		return EINVAL;
+	}
+
 	ids = (char *)data;
 
 	id = strv_find(ids, idbuf);
@@ -200,6 +208,7 @@ int server_id_db_lookup(struct server_id_db *db, const char *name,
 	struct tdb_context *tdb = db->tdb->tdb;
 	TDB_DATA key;
 	uint8_t *data;
+	size_t datalen;
 	char *ids, *id;
 	unsigned num_servers;
 	struct server_id *servers;
@@ -212,6 +221,12 @@ int server_id_db_lookup(struct server_id_db *db, const char *name,
 		return ret;
 	}
 
+	datalen = talloc_get_size(data);
+	if ((datalen == 0) || (data[datalen-1] != '\0')) {
+		TALLOC_FREE(data);
+		return EINVAL;
+	}
+
 	ids = (char *)data;
 	num_servers = strv_count(ids);
 
-- 
2.1.4

