[PATCH] Fixes for undefined behavior in util_tdb
Andreas Schneider
asn at samba.org
Fri Nov 30 10:52:33 UTC 2018
On Thursday, 29 November 2018 21:53:15 CET Gary Lockyer wrote:
> I'm not sure about the 2nd patch, comments in line.
I've added the panic, a pipeline with the smb_panic is running here:
https://gitlab.com/samba-team/devel/samba/pipelines/38463754
Thanks for the review,
Andreas
> From 7c7cadda8ab039df4c5eedcf01dea445f737e16b Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Thu, 22 Nov 2018 13:33:11 +0100
> Subject: [PATCH 2/3] s3:lib: Fix undefined behavior in tdb_pack()
>
> util_tdb.c:98:5: runtime error: null pointer passed as argument 2, which
> is declared to never be null
>
> This means the second argument of memcpy() can't be NULL.
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> source3/lib/util_tdb.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
> index 4f2450c5773..182b27e6376 100644
> --- a/source3/lib/util_tdb.c
> +++ b/source3/lib/util_tdb.c
> @@ -76,14 +76,12 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize,
> const char *fmt, va_list ap
> SIVAL(buf, 0, d);
> break;
> case 'P': /* null-terminated string */
> - s = va_arg(ap,char *);
> - w = strlen(s);
> - len = w + 1;
> - if (bufsize && bufsize >= len)
> - memcpy(buf, s, len);
> - break;
> case 'f': /* null-terminated string */
> s = va_arg(ap,char *);
> + if (s == NULL) {
> +
> len = 1;
> I think this should be an smb_panic, otherwise a random byte will be
> silently written to the buffer. While it could write a zero byte, then
> we'd be converting a NULL pointer to a zero length string.
>
> + break;
> + }
> w = strlen(s);
> len = w + 1;
> if (bufsize && bufsize >= len)
> @@ -95,7 +93,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize,
> const char *fmt, va_list ap
> len = 4+i;
> if (bufsize && bufsize >= len) {
> SIVAL(buf, 0, i);
> - memcpy(buf+4, s, i);
> + if (s != NULL) {
> + memcpy(buf+4, s, i);
> + }
> }
> break;
>
> default:
> > Hi,
> >
> > see attached patchset. A CI pipeline is here:
> >
> > https://gitlab.com/samba-team/devel/samba/pipelines/38025491
> >
> >
> > Please review and comment. Push if OK.
> >
> >
> > Thanks,
> >
> > Andreas
>
> Ngā mihi
> Gary
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list