[PATCH] Messaging improvements and fixes needed for auth logging
Volker Lendecke
vl at samba.org
Thu Mar 23 15:36:02 UTC 2017
On Tue, Mar 21, 2017 at 07:48:16AM +0100, Volker Lendecke wrote:
> On Tue, Mar 21, 2017 at 11:59:45AM +1300, Andrew Bartlett via samba-technical wrote:
> > I'll amend the commit messages, but the patches in the series I posted
> > here are (essentially) the unit tests for the bug in the server_id
> > database, because it was adding the tests for the bindings that found
> > the bug.
>
> Please make it obvious with two commits. First is the real bugfix,
> and second one would be the API change with a comment "make the API
> safer" or so. Then we can discuss the things separately.
Attached is what I had in mind with "First is the real bugfix".
Review appreciated!
Thanks,
Volker
-------------- next part --------------
>From db5ada80794dea4f93709f812b51645199f0776c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 23 Mar 2017 15:48:25 +0100
Subject: [PATCH] server_id_db: Protect against non-0-terminated data records
Bug found by Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
---
lib/util/server_id_db.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/util/server_id_db.c b/lib/util/server_id_db.c
index e0b8476..24db909 100644
--- a/lib/util/server_id_db.c
+++ b/lib/util/server_id_db.c
@@ -138,6 +138,7 @@ int server_id_db_prune_name(struct server_id_db *db, const char *name,
char idbuf[idbuf_len];
TDB_DATA key;
uint8_t *data;
+ size_t datalen;
char *ids, *id;
int ret;
@@ -156,6 +157,13 @@ int server_id_db_prune_name(struct server_id_db *db, const char *name,
return ret;
}
+ datalen = talloc_get_size(data);
+ if ((datalen == 0) || (data[datalen-1] != '\0')) {
+ tdb_chainunlock(tdb, key);
+ TALLOC_FREE(data);
+ return EINVAL;
+ }
+
ids = (char *)data;
id = strv_find(ids, idbuf);
@@ -200,6 +208,7 @@ int server_id_db_lookup(struct server_id_db *db, const char *name,
struct tdb_context *tdb = db->tdb->tdb;
TDB_DATA key;
uint8_t *data;
+ size_t datalen;
char *ids, *id;
unsigned num_servers;
struct server_id *servers;
@@ -212,6 +221,12 @@ int server_id_db_lookup(struct server_id_db *db, const char *name,
return ret;
}
+ datalen = talloc_get_size(data);
+ if ((datalen == 0) || (data[datalen-1] != '\0')) {
+ TALLOC_FREE(data);
+ return EINVAL;
+ }
+
ids = (char *)data;
num_servers = strv_count(ids);
--
2.1.4
More information about the samba-technical
mailing list