[PATCH] Fix a few CIDs
Michael Adam
obnox at samba.org
Tue Jun 7 09:12:54 UTC 2016
On 2016-06-07 at 10:32 +0200, Volker Lendecke wrote:
> Hi!
>
> Review appreciated!
Reviewed by: me
just one cosmetic comment: The last commit message could
be polished a bit:
"This whole are is a known-to-be-broken mess"...
Feel free to push with a slight amendment.
Cheers - Michael
> From 45c31a533134f8bc49eb47ef54e67787257c750b Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 09:58:24 +0200
> Subject: [PATCH 1/3] lib: Fix CID 1362566 Dereference null return value
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> source3/lib/messages.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/source3/lib/messages.c b/source3/lib/messages.c
> index ef8e83d..65e975e 100644
> --- a/source3/lib/messages.c
> +++ b/source3/lib/messages.c
> @@ -393,6 +393,7 @@ struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
> NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
> {
> int ret;
> + char *lck_path;
>
> TALLOC_FREE(msg_ctx->msg_dgm_ref);
>
> @@ -400,9 +401,14 @@ NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
> .pid = getpid(), .vnn = msg_ctx->id.vnn
> };
>
> + lck_path = lock_path("msg.lock");
> + if (lck_path == NULL) {
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> msg_ctx->msg_dgm_ref = messaging_dgm_ref(
> msg_ctx, msg_ctx->event_ctx, &msg_ctx->id.unique_id,
> - private_path("msg.sock"), lock_path("msg.lock"),
> + private_path("msg.sock"), lck_path,
> messaging_recv_cb, msg_ctx, &ret);
>
> if (msg_ctx->msg_dgm_ref == NULL) {
> --
> 2.1.4
>
>
> From 9de941f51330cb52ee3bec36ed7656fddac8e8f9 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 10:01:32 +0200
> Subject: [PATCH 2/3] rpc_server: Fix CID 1362565 Improper use of negative
> value
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> source4/rpc_server/dcerpc_server.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
> index 8c69351..36b3fd2 100644
> --- a/source4/rpc_server/dcerpc_server.c
> +++ b/source4/rpc_server/dcerpc_server.c
> @@ -2077,8 +2077,16 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn)
> if (transport == NCALRPC) {
> uid_t uid;
> gid_t gid;
> + int sock_fd;
>
> - ret = getpeereid(socket_get_fd(srv_conn->socket), &uid, &gid);
> + sock_fd = socket_get_fd(srv_conn->socket);
> + if (sock_fd == -1) {
> + stream_terminate_connection(
> + srv_conn, "socket_get_fd failed\n");
> + return;
> + }
> +
> + ret = getpeereid(sock_fd, &uid, &gid);
> if (ret == -1) {
> status = map_nt_error_from_unix_common(errno);
> DEBUG(0, ("dcesrv_sock_accept: "
> --
> 2.1.4
>
>
> From 6801e5fb63c3f4656c2e136ae57af24bb6193bf4 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Tue, 7 Jun 2016 10:07:21 +0200
> Subject: [PATCH 3/3] libsmb: Fix two CIDs for NULL dereference
>
> This whole are is a known-to-be-broken mess, but this patch should fix
> the immediate crash
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> source3/libsmb/libsmb_server.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
> index 06c0211..eb4d5d2 100644
> --- a/source3/libsmb/libsmb_server.c
> +++ b/source3/libsmb/libsmb_server.c
> @@ -121,14 +121,20 @@ SMBC_call_auth_fn(TALLOC_CTX *ctx,
> char **pp_username,
> char **pp_password)
> {
> - fstring workgroup;
> - fstring username;
> - fstring password;
> + fstring workgroup = { 0 };
> + fstring username = { 0 };
> + fstring password = { 0 };
> smbc_get_auth_data_with_context_fn auth_with_context_fn;
>
> - strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
> - strlcpy(username, *pp_username, sizeof(username));
> - strlcpy(password, *pp_password, sizeof(password));
> + if (*pp_workgroup != NULL) {
> + strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
> + }
> + if (*pp_username != NULL) {
> + strlcpy(username, *pp_username, sizeof(username));
> + }
> + if (*pp_password != NULL) {
> + strlcpy(password, *pp_password, sizeof(password));
> + }
>
> /* See if there's an authentication with context function provided */
> auth_with_context_fn = smbc_getFunctionAuthDataWithContext(context);
> --
> 2.1.4
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160607/3d11ea1a/signature.sig>
More information about the samba-technical
mailing list