From 850ff697e363c7fc6e78a4af004fdda93daaa991 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:07:54 +0100 Subject: [PATCH 01/12] s4-torture: Use the correct variable type in torture_smb2_maxfid() Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 1daea6b0f848b2434c65dc90d7fe514242c78786) --- source4/torture/smb2/maxfid.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source4/torture/smb2/maxfid.c b/source4/torture/smb2/maxfid.c index cfdf7c17939..dbe3fac9d39 100644 --- a/source4/torture/smb2/maxfid.c +++ b/source4/torture/smb2/maxfid.c @@ -32,7 +32,7 @@ bool torture_smb2_maxfid(struct torture_context *tctx) NTSTATUS status; struct smb2_tree *tree = NULL; const char *dname = "smb2_maxfid"; - int i, maxfid; + size_t i, maxfid; struct smb2_handle *handles, dir_handle = { }; size_t max_handles; @@ -62,7 +62,7 @@ bool torture_smb2_maxfid(struct torture_context *tctx) struct smb2_create create = { }; struct smb2_close close = { }; - name = talloc_asprintf(tctx, "%s\\%d", dname, i / 1000); + name = talloc_asprintf(tctx, "%s\\%zu", dname, i / 1000); torture_assert_goto(tctx, (name != NULL), ret, done, "no memory for directory name\n"); @@ -93,7 +93,7 @@ bool torture_smb2_maxfid(struct torture_context *tctx) char *name; struct smb2_create create = { }; - name = talloc_asprintf(tctx, "%s\\%d\\%d", dname, i / 1000, i); + name = talloc_asprintf(tctx, "%s\\%zu\\%zu", dname, i / 1000, i); torture_assert_goto(tctx, (name != NULL), ret, done, "no memory for file name\n"); @@ -120,7 +120,7 @@ bool torture_smb2_maxfid(struct torture_context *tctx) maxfid = i; if (maxfid == max_handles) { - torture_comment(tctx, "Reached test limit of %d open files. " + torture_comment(tctx, "Reached test limit of %zu open files. " "Adjust to higher test with " "--option=torture:maxopenfiles=NNN\n", maxfid); } -- 2.12.0 From ae1dc636668dbb72b5d10b3629cbd9b42862fe31 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:08:50 +0100 Subject: [PATCH 02/12] s4-kcc: Do not dereference a NULL pointer Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 67b978bb26b3d0009b511bb2ae96d249041827a5) --- source4/dsdb/kcc/garbage_collect_tombstones.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c index 1909cfeff76..d8d0a5995c2 100644 --- a/source4/dsdb/kcc/garbage_collect_tombstones.c +++ b/source4/dsdb/kcc/garbage_collect_tombstones.c @@ -137,7 +137,9 @@ static NTSTATUS garbage_collect_tombstones_part(TALLOC_CTX *mem_ctx, element->name); /* This avoids parsing isDeleted as a link */ - if (attrib->linkID == 0 || ((attrib->linkID & 1) == 1)) { + if (attrib == NULL || + attrib->linkID == 0 || + ((attrib->linkID & 1) == 1)) { continue; } -- 2.12.0 From dc0568ce7c695142cf0928a7d44eed132889d477 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:15:38 +0100 Subject: [PATCH 03/12] s3-vfs: Do not deref a NULL pointer in shadow_copy2_snapshot_to_gmt() Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit e6105f92cd24de49acecd67a9f0c2c53323fe2e9) --- source3/modules/vfs_shadow_copy2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c index 402eb70936b..2afc5954e7d 100644 --- a/source3/modules/vfs_shadow_copy2.c +++ b/source3/modules/vfs_shadow_copy2.c @@ -1873,6 +1873,9 @@ static bool shadow_copy2_snapshot_to_gmt(vfs_handle_struct *handle, } /* Extract the prefix */ tmp = strstr(tmpstr, priv->config->delimiter); + if (tmp == NULL) { + goto done; + } *tmp = '\0'; /* Parse regex */ -- 2.12.0 From efadbd1bfaf44a7d32f2df3f67f226bff2b61d92 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:34:07 +0100 Subject: [PATCH 04/12] ndrdump: Fix a possible NULL pointer dereference Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 79a49dc19a83bd22684a71aecf4588b753669039) --- librpc/tools/ndrdump.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index d534e3c1dba..d8b991606b0 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -493,6 +493,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) bool differ; ndr_v_push = ndr_push_init_ctx(mem_ctx); + if (ndr_v_push == NULL) { + printf("No memory\n"); + exit(1); + } if (assume_ndr64) { ndr_v_push->flags |= LIBNDR_FLAG_NDR64; -- 2.12.0 From 63d0a22fe574cfa91fd07d87b2d3003d3e6d5814 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:52:41 +0100 Subject: [PATCH 05/12] s4:torture: Make sure handles are initialized The CHECK_STATUS macro might goto done which checks the values of the handle so they should be initialized in this case. Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 8a1b998acb3592ad67bb72db79965bae436748ec) --- source4/torture/smb2/rename.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source4/torture/smb2/rename.c b/source4/torture/smb2/rename.c index 1a490f31240..96526435e46 100644 --- a/source4/torture/smb2/rename.c +++ b/source4/torture/smb2/rename.c @@ -57,6 +57,8 @@ static bool torture_smb2_rename_simple(struct torture_context *torture, union smb_fileinfo fi; struct smb2_handle h1; + ZERO_STRUCT(h1); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -145,6 +147,8 @@ static bool torture_smb2_rename_simple2(struct torture_context *torture, union smb_setfileinfo sinfo; struct smb2_handle h1; + ZERO_STRUCT(h1); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -226,6 +230,8 @@ static bool torture_smb2_rename_no_sharemode(struct torture_context *torture, union smb_fileinfo fi; struct smb2_handle h1; + ZERO_STRUCT(h1); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -314,6 +320,9 @@ static bool torture_smb2_rename_with_delete_access(struct torture_context *tortu union smb_setfileinfo sinfo; struct smb2_handle fh, dh; + ZERO_STRUCT(fh); + ZERO_STRUCT(dh); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -439,6 +448,9 @@ static bool torture_smb2_rename_with_delete_access2(struct torture_context *tort union smb_setfileinfo sinfo; struct smb2_handle fh, dh; + ZERO_STRUCT(fh); + ZERO_STRUCT(dh); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -563,6 +575,9 @@ static bool torture_smb2_rename_no_delete_access(struct torture_context *torture union smb_fileinfo fi; struct smb2_handle fh, dh; + ZERO_STRUCT(fh); + ZERO_STRUCT(dh); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -697,6 +712,9 @@ static bool torture_smb2_rename_no_delete_access2(struct torture_context *tortur union smb_setfileinfo sinfo; struct smb2_handle fh, dh; + ZERO_STRUCT(fh); + ZERO_STRUCT(dh); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -820,6 +838,9 @@ static bool torture_smb2_rename_msword(struct torture_context *torture, union smb_fileinfo fi; struct smb2_handle fh, dh; + ZERO_STRUCT(fh); + ZERO_STRUCT(dh); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); @@ -938,6 +959,9 @@ static bool torture_smb2_rename_dir_openfile(struct torture_context *torture, union smb_setfileinfo sinfo; struct smb2_handle d1, h1; + ZERO_STRUCT(d1); + ZERO_STRUCT(h1); + smb2_deltree(tree1, BASEDIR); smb2_util_rmdir(tree1, BASEDIR); -- 2.12.0 From 4c3c69e26fe1e68dd20945987062754def2a0092 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Feb 2017 09:45:33 +0100 Subject: [PATCH 06/12] s3:torture: Fix uint64_t comparsion in if-clause Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 13690569ee5893e3dbd96f2b28a41a35e3da42ff) --- source3/torture/torture.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/torture/torture.c b/source3/torture/torture.c index cafc1a8c3d4..393d3435543 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -5066,7 +5066,7 @@ static bool run_rename_access(int dummy) } if (cli) { - if (fnum != -1) { + if (fnum != (uint64_t)-1) { cli_close(cli, fnum); } cli_unlink(cli, src, @@ -5457,7 +5457,7 @@ static bool run_owner_rights(int dummy) fail: if (cli) { - if (fnum != -1) { + if (fnum != (uint16_t)-1) { cli_close(cli, fnum); } cli_unlink(cli, fname, -- 2.12.0 From 36d119b19c60b27cbb5b29c70174ebd8196706e8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Feb 2017 10:08:17 +0100 Subject: [PATCH 07/12] s3:lib: Do not segfault if username is NULL Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 9297ac44f7e0455bb74ee77ad8b68f2e8c4a070d) --- source3/lib/util_cmdline.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c index 6c98b44ebd2..ad51a4f5217 100644 --- a/source3/lib/util_cmdline.c +++ b/source3/lib/util_cmdline.c @@ -112,11 +112,14 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info, { const char *new_val = NULL; + if (username == NULL) { + return; + } cli_credentials_parse_string(auth_info->creds, username, CRED_SPECIFIED); new_val = cli_credentials_get_username(auth_info->creds); - if (username != NULL && new_val == NULL) { + if (new_val == NULL) { exit(ENOMEM); } -- 2.12.0 From 68dbfbd62762d5f8283850e2728d81ab39d7b8de Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Feb 2017 11:53:52 +0100 Subject: [PATCH 08/12] pam_winbind: Return if we do not have a domain Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 1df1d873c849f68a91d067c7049dda12c22e98c5) --- nsswitch/pam_winbind.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index b78c6bd93e2..dca2c299d00 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -2479,10 +2479,14 @@ static char* winbind_upn_to_username(struct pwb_context *ctx, if (!name) { return NULL; } - if ((p = strchr(name, '@')) != NULL) { - *p = 0; - domain = p + 1; + + p = strchr(name, '@'); + if (p == NULL) { + TALLOC_FREE(name); + return NULL; } + *p = '\0'; + domain = p + 1; /* Convert the UPN to a SID */ -- 2.12.0 From 240cb45837507f60d8cfdeb30b767b17e2c2d7f7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:42:53 +0100 Subject: [PATCH 09/12] s3:librpc: Make sure kt_curser and kt_entry are initialized Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 2f83cfdb90d687673cfc4be14cd66425fb7f3e76) --- source3/librpc/crypto/gse_krb5.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c index 83afd16e7ce..703d1b4c925 100644 --- a/source3/librpc/crypto/gse_krb5.c +++ b/source3/librpc/crypto/gse_krb5.c @@ -359,8 +359,8 @@ static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx, { krb5_error_code ret = 0; krb5_keytab keytab = NULL; - krb5_kt_cursor kt_cursor; - krb5_keytab_entry kt_entry; + krb5_kt_cursor kt_cursor = { 0, }; + krb5_keytab_entry kt_entry = { 0, }; char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL }; char *entry_princ_s = NULL; @@ -420,9 +420,6 @@ static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx, goto out; } - ZERO_STRUCT(kt_entry); - ZERO_STRUCT(kt_cursor); - ret = smb_krb5_kt_open_relative(krbctx, NULL, false, &keytab); if (ret) { DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", -- 2.12.0 From fa658a9df2659dc79f88862ed225140e701c470c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Feb 2017 09:49:39 +0100 Subject: [PATCH 10/12] s3:librpc: Fix OM_uint32 comparsion in if-clause Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 8ac43e0e6ef9236a5c6d2c27ebe24171582c1d49) --- source3/librpc/crypto/gse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 792700ede04..99971d30881 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -347,7 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, break; default: if ((gss_maj == GSS_S_FAILURE) && - (gss_min == KRB5KRB_AP_ERR_TKT_EXPIRED)) { + (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) { DBG_NOTICE("Ticket expired\n"); } else { DBG_ERR("gss_init_sec_context failed with [%s]\n", -- 2.12.0 From 472f068baa3c46299fa59d832d9c4dc6d063132d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 Feb 2017 17:38:41 +0100 Subject: [PATCH 11/12] ctdb: Fix posible NULL deref in logging_init() Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 08e03fa7f5fdc7f988fbbb26929e8c5727f36c2e) --- ctdb/common/logging.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c index 3d586bfb49b..c8ccf26b565 100644 --- a/ctdb/common/logging.c +++ b/ctdb/common/logging.c @@ -521,7 +521,14 @@ int logging_init(TALLOC_CTX *mem_ctx, const char *logging, } name = strtok(str, ":"); + if (name == NULL) { + return EINVAL; + } option = strtok(NULL, ":"); + /* + * option can be NULL here, both setup() + * backends handle this. + */ for (i=0; i Date: Thu, 23 Feb 2017 09:41:03 -0800 Subject: [PATCH 12/12] s3:winbind: work around coverity false positive. Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Feb 23 23:54:48 CET 2017 on sn-devel-144 (cherry picked from commit 2e09407c5b992db0da5ca3a6d1f38341dc42d070) --- source3/winbindd/winbindd_list_users.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_list_users.c b/source3/winbindd/winbindd_list_users.c index 9a751a75c5b..fcbe8beff6f 100644 --- a/source3/winbindd/winbindd_list_users.c +++ b/source3/winbindd/winbindd_list_users.c @@ -178,7 +178,7 @@ NTSTATUS winbindd_list_users_recv(struct tevent_req *req, response->length += len; response->data.num_entries = 0; - if (len >= 1) { + if (result != NULL && len >= 1) { len -= 1; response->data.num_entries = 1; -- 2.12.0