Attachment 10405 Details for Bug 9629 – proposed patch

[patch] proposed patch

9629.patch (text/plain), 3.48 KB, created by Christian Ambach on 2014-11-04 22:57:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Christian Ambach

Created: 2014-11-04 22:57:08 UTC

Size: 3.48 KB

patch

obsolete

>From f46b0c632aa83171bb71e8a897fb00b7c2904531 Mon Sep 17 00:00:00 2001
>From: Christian Ambach <ambi@samba.org>
>Date: Tue, 4 Nov 2014 23:47:26 +0100
>Subject: [PATCH 1/3] s3:registry/regfio read SD from the correct location
>
>try to find the security descriptor at the data pointer, not at the beginning of the hbin
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=9629
>Signed-off-by: Christian Ambach <ambi@samba.org>
>---
> source3/registry/regfio.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
>diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c
>index fe80094..b32bf03 100644
>--- a/source3/registry/regfio.c
>+++ b/source3/registry/regfio.c
>@@ -768,8 +768,10 @@ static bool hbin_prs_sk_rec( const char *desc, REGF_HBIN *hbin, int depth, REGF_
> 			if (!prs_copy_data_in(&hbin->ps, (const char *)blob.data, blob.length))
> 				return False;
> 		} else {
>-			blob = data_blob_const(prs_data_p(&hbin->ps),
>-					       prs_data_size(&hbin->ps));
>+			blob = data_blob_const(
>+				prs_data_p(&hbin->ps) + prs_offset(&hbin->ps),
>+				prs_data_size(&hbin->ps) - prs_offset(&hbin->ps)
>+			       );
> 			status = unmarshall_sec_desc(mem_ctx,
> 						     blob.data, blob.length,
> 						     &sk->sec_desc);
>-- 
>1.9.1
>
>
>From 8ce1af104dcaf063e8161f0bd76284e80ebc3e07 Mon Sep 17 00:00:00 2001
>From: Christian Ambach <ambi@samba.org>
>Date: Tue, 4 Nov 2014 23:50:07 +0100
>Subject: [PATCH 2/3] s3:registry/regfio fix some valgrind warnings
>
>Signed-off-by: Christian Ambach <ambi@samba.org>
>---
> source3/registry/regfio.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c
>index b32bf03..e49de26 100644
>--- a/source3/registry/regfio.c
>+++ b/source3/registry/regfio.c
>@@ -1741,7 +1741,7 @@ static bool create_vk_record(REGF_FILE *file, REGF_VK_REC *vk,
> 		/* make sure we don't try to copy from a NULL value pointer */
> 
> 		if ( vk->data_size != 0 ) 
>-			memcpy( &vk->data_off, regval_data_p(value), sizeof(uint32) );
>+			memcpy( &vk->data_off, regval_data_p(value), vk->data_size);
> 		vk->data_size |= VK_DATA_IN_OFFSET;		
> 	}
> 
>@@ -1806,7 +1806,7 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 )
> 		REGF_HASH_REC *hash = &parent->subkeys.hashes[parent->subkey_index];
> 
> 		hash->nk_off = prs_offset( &nk->hbin->ps ) + nk->hbin->first_hbin_off - HBIN_HDR_SIZE;
>-		memcpy( hash->keycheck, name, sizeof(uint32) );
>+		memcpy(hash->keycheck, name, MIN(strlen(name),sizeof(uint32)));
> 		hash->fullname = talloc_strdup( file->mem_ctx, name );
> 		parent->subkey_index++;
> 
>-- 
>1.9.1
>
>
>From 57833c295a39b77059afa7e567a858d4e275ac35 Mon Sep 17 00:00:00 2001
>From: Christian Ambach <ambi@samba.org>
>Date: Tue, 4 Nov 2014 23:51:23 +0100
>Subject: [PATCH 3/3] s3:utils/profiles fix a use after free
>
>path is a talloc-child of subkeys, so subkeys should not be freed before calling
>verbose_output
>
>Signed-off-by: Christian Ambach <ambi@samba.org>
>---
> source3/utils/profiles.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c
>index 0f274ad..22c8f72 100644
>--- a/source3/utils/profiles.c
>+++ b/source3/utils/profiles.c
>@@ -189,12 +189,12 @@ static bool copy_registry_tree( REGF_FILE *infile, REGF_NK_REC *nk,
> 		}
> 	}
> 
>-	/* values is a talloc()'d child of subkeys here so just throw it all away */
>-
>-	TALLOC_FREE( subkeys );
> 
> 	verbose_output("[%s]\n", path);
> 
>+	/* values is a talloc()'d child of subkeys here so just throw it all away */
>+	TALLOC_FREE(subkeys);
>+
> 	return True;
> }
> 
>-- 
>1.9.1
>

Flags:

metze: review+

Actions: View

Attachments on bug 9629: 10241 | 10405 | 10494