From 5b54ced31678999842f621e0023674dc920e28a9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 7 Aug 2018 22:48:58 +0200 Subject: [PATCH 1/5] smbd: Align integer types BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- source3/smbd/nttrans.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 5937380fb85..810f8b92b43 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2301,7 +2301,7 @@ static enum ndr_err_code fill_qtlist_from_sids(TALLOC_CTX *mem_ctx, struct dom_sid *sids, uint32_t elems) { - int i; + uint32_t i; TALLOC_CTX *list_ctx = NULL; list_ctx = talloc_init("quota_sid_list"); -- 2.13.7 From 60c0a2b384d935e2ef6ffe5d167a423b1b2e7af8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 7 Aug 2018 22:49:16 +0200 Subject: [PATCH 2/5] smbd: Fix CID 1438246 Unchecked return value BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- source3/smbd/nttrans.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 810f8b92b43..bad904b9eb8 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2317,6 +2317,7 @@ static enum ndr_err_code fill_qtlist_from_sids(TALLOC_CTX *mem_ctx, for (i = 0; i < elems; i++) { SMB_NTQUOTA_STRUCT qt; SMB_NTQUOTA_LIST *list_item; + bool ok; if (!NT_STATUS_IS_OK(vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, @@ -2333,7 +2334,15 @@ static enum ndr_err_code fill_qtlist_from_sids(TALLOC_CTX *mem_ctx, return NDR_ERR_ALLOC; } - sid_to_uid(&sids[i], &list_item->uid); + ok = sid_to_uid(&sids[i], &list_item->uid); + if (!ok) { + char buf[DOM_SID_STR_BUFLEN]; + dom_sid_string_buf(&sids[i], buf, sizeof(buf)); + DBG_WARNING("Could not convert SID %s to uid\n", buf); + /* No idea what to return here... */ + return NDR_ERR_INVALID_POINTER; + } + list_item->quotas = talloc_zero(list_item, SMB_NTQUOTA_STRUCT); if (list_item->quotas == NULL) { DBG_ERR("failed to allocate\n"); -- 2.13.7 From 01d9be278796e6ce73dd48939118ca492f08445c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 7 Aug 2018 22:50:52 +0200 Subject: [PATCH 3/5] smbd: Fix CID 1438245 Dereference before null check BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- source3/smbd/nttrans.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index bad904b9eb8..68470766f77 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2459,7 +2459,7 @@ static enum ndr_err_code extract_sids_from_buf(TALLOC_CTX *mem_ctx, } } *sids = talloc_zero_array(mem_ctx, struct dom_sid, i); - if (!sids) { + if (*sids == NULL) { DBG_ERR("OOM\n"); err = NDR_ERR_ALLOC; goto done; -- 2.13.7 From ee3dd90a76f649b3bec5063cddf9293ed4d5a82c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 8 Aug 2018 10:08:38 +0200 Subject: [PATCH 4/5] libsmb: Fix CID 1438244 Unsigned compared against 0 ndr_size_dom_sid returns a size_t, so that can't be <0. Also, the only case that ndr_size_dom_sid returns 0 is a NULL sid pointer. ndr_size_dom_sid can reasonably be assumed to not overflow, the number of sub-auths is a uint8. That times 4 plus 8 always fits into a size_t. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- source3/libsmb/cli_smb2_fnum.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index 3537932c0d0..74f2f2ec4e4 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -2943,10 +2943,6 @@ NTSTATUS cli_smb2_get_user_quota(struct cli_state *cli, sid_len = ndr_size_dom_sid(&pqt->sid, 0); query.return_single = 1; - if (sid_len < 0) { - status = NT_STATUS_INVALID_PARAMETER; - goto fail; - } info.next_entry_offset = 0; info.sid_length = sid_len; -- 2.13.7 From 0c8174cf9221ce5635073bb4a29e782f81f67dc5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 8 Aug 2018 10:14:26 +0200 Subject: [PATCH 5/5] libsmb: Fix CID 1438243 Unchecked return value BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Aug 8 23:10:22 CEST 2018 on sn-devel-144 --- source3/libsmb/cliquota.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c index 8efd2bbe38a..52f98eb9e8f 100644 --- a/source3/libsmb/cliquota.c +++ b/source3/libsmb/cliquota.c @@ -649,7 +649,14 @@ NTSTATUS fill_quota_buffer(TALLOC_CTX *mem_ctx, /* pidl will align to 8 bytes due to 8 byte members*/ /* Remember how much align padding we've used. */ padding = qndr->offset; - ndr_push_align(qndr, 8); + + err = ndr_push_align(qndr, 8); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + DBG_DEBUG("ndr_push_align returned %s\n", + ndr_map_error2string(err)); + return ndr_map_error2ntstatus(err); + } + padding = qndr->offset - padding; /* -- 2.13.7