[PATCH] [s3] CID 1433607, CID 1429799 and a possible mem leak

Swen Schillig swen at vnet.ibm.com
Fri May 25 08:20:41 UTC 2018 

Please review and push if happy.

Cheers Swen
-------------- next part --------------
From 1a58d535f4434ba5662091fab9318ca7af4c3605 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 09:36:01 +0200
Subject: [PATCH 1/3] [s3] CID 1433607 Out-of-bounds-write

Remove the out-of-bounds-write.
Either the terminating 0-byte was written during initialization (n<16)
or it will be handled by the following code-segment (n == MAX_NETBIOSNAME_LEN)

Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
 source3/libsmb/nmblib.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index ef6177e5209..2bd893b01c2 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -212,7 +212,6 @@ static int parse_nmb_name(char *inbuf,int ofs,int length, struct nmb_name *name)
 		name->name[n++] = (c1<<4) | c2;
 		m -= 2;
 	}
-	name->name[n] = 0;
 
 	if (n==MAX_NETBIOSNAME_LEN) {
 		/* parse out the name type, its always
-- 
2.14.3


From 62fc0d4774995d3fa27a8d4ce10cb7c89176a968 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 10:01:39 +0200
Subject: [PATCH 2/3] [s3] CID 1429799: Explicit null dereference.

Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
 source3/rpc_client/util_netlogon.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 2d73bc95cea..95c2a105d41 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -198,6 +198,10 @@ NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx,
 	unsigned int i;
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 
+	if (in == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
 	if (info6 == NULL) {
 		status = NT_STATUS_NO_MEMORY;
-- 
2.14.3


From bd2261e6ac13aebb34bb0c2f1face48ba7809089 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 10:06:21 +0200
Subject: [PATCH 3/3] [s3] possible memory leak

If the call to copy_netr_SamInfo6 returns an error status,
the allocated memory for "validation" needs to be free'd before returning.

Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
 source3/rpc_client/util_netlogon.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 95c2a105d41..4dfdbfed4e6 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -382,6 +382,7 @@ NTSTATUS map_info6_to_validation(TALLOC_CTX *mem_ctx,
 				    info6,
 				    &validation->sam6);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(validation);
 		return status;
 	}
 
-- 
2.14.3

More information about the samba-technical mailing list