[PATCH] Fixes for undefined behavior in util_tdb
Gary Lockyer
gary at catalyst.net.nz
Thu Nov 29 20:53:15 UTC 2018
I'm not sure about the 2nd patch, comments in line.
From 7c7cadda8ab039df4c5eedcf01dea445f737e16b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Thu, 22 Nov 2018 13:33:11 +0100
Subject: [PATCH 2/3] s3:lib: Fix undefined behavior in tdb_pack()
util_tdb.c:98:5: runtime error: null pointer passed as argument 2, which
is declared to never be null
This means the second argument of memcpy() can't be NULL.
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/lib/util_tdb.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index 4f2450c5773..182b27e6376 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -76,14 +76,12 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize,
const char *fmt, va_list ap
SIVAL(buf, 0, d);
break;
case 'P': /* null-terminated string */
- s = va_arg(ap,char *);
- w = strlen(s);
- len = w + 1;
- if (bufsize && bufsize >= len)
- memcpy(buf, s, len);
- break;
case 'f': /* null-terminated string */
s = va_arg(ap,char *);
+ if (s == NULL) {
+
len = 1;
I think this should be an smb_panic, otherwise a random byte will be
silently written to the buffer. While it could write a zero byte, then
we'd be converting a NULL pointer to a zero length string.
+ break;
+ }
w = strlen(s);
len = w + 1;
if (bufsize && bufsize >= len)
@@ -95,7 +93,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize,
const char *fmt, va_list ap
len = 4+i;
if (bufsize && bufsize >= len) {
SIVAL(buf, 0, i);
- memcpy(buf+4, s, i);
+ if (s != NULL) {
+ memcpy(buf+4, s, i);
+ }
}
break;
default:
--
2.19.1
On 28/11/18 04:31, Andreas Schneider via samba-technical wrote:
> Hi,
>
> see attached patchset. A CI pipeline is here:
>
> https://gitlab.com/samba-team/devel/samba/pipelines/38025491
>
>
> Please review and comment. Push if OK.
>
>
> Thanks,
>
>
> Andreas
>
Ngā mihi
Gary
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181130/bded33db/signature.sig>
More information about the samba-technical
mailing list