[PATCH] [s3] CID 1433607, CID 1429799 and a possible mem leak
Swen Schillig
swen at vnet.ibm.com
Fri May 25 08:20:41 UTC 2018
Please review and push if happy.
Cheers Swen
-------------- next part --------------
From 1a58d535f4434ba5662091fab9318ca7af4c3605 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 09:36:01 +0200
Subject: [PATCH 1/3] [s3] CID 1433607 Out-of-bounds-write
Remove the out-of-bounds-write.
Either the terminating 0-byte was written during initialization (n<16)
or it will be handled by the following code-segment (n == MAX_NETBIOSNAME_LEN)
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/libsmb/nmblib.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index ef6177e5209..2bd893b01c2 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -212,7 +212,6 @@ static int parse_nmb_name(char *inbuf,int ofs,int length, struct nmb_name *name)
name->name[n++] = (c1<<4) | c2;
m -= 2;
}
- name->name[n] = 0;
if (n==MAX_NETBIOSNAME_LEN) {
/* parse out the name type, its always
--
2.14.3
From 62fc0d4774995d3fa27a8d4ce10cb7c89176a968 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 10:01:39 +0200
Subject: [PATCH 2/3] [s3] CID 1429799: Explicit null dereference.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/rpc_client/util_netlogon.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 2d73bc95cea..95c2a105d41 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -198,6 +198,10 @@ NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx,
unsigned int i;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ if (in == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
if (info6 == NULL) {
status = NT_STATUS_NO_MEMORY;
--
2.14.3
From bd2261e6ac13aebb34bb0c2f1face48ba7809089 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 25 May 2018 10:06:21 +0200
Subject: [PATCH 3/3] [s3] possible memory leak
If the call to copy_netr_SamInfo6 returns an error status,
the allocated memory for "validation" needs to be free'd before returning.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/rpc_client/util_netlogon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 95c2a105d41..4dfdbfed4e6 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -382,6 +382,7 @@ NTSTATUS map_info6_to_validation(TALLOC_CTX *mem_ctx,
info6,
&validation->sam6);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(validation);
return status;
}
--
2.14.3
More information about the samba-technical
mailing list