From fbb40d4b80a6e12f0f327a13d4f1fbf9110f0f2c Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Sun, 17 Mar 2019 13:04:52 +0100 Subject: [PATCH 1/3] Fix typos in "valid" s/vald/valid/ Signed-off-by: Michael Hanselmann --- source3/registry/regfio.c | 2 +- source3/torture/torture.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index 9bb89ff11d4..7e323da9dab 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -178,7 +178,7 @@ static int read_block( REGF_FILE *file, prs_struct *ps, uint32_t file_offset, ui return False; } if ( (returned == 0) && (bytes_read < block_size) ) { - DEBUG(0,("read_block: not a vald registry file ?\n" )); + DEBUG(0,("read_block: not a valid registry file ?\n" )); return False; } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index ac10de2fdcc..66796255912 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -9651,7 +9651,7 @@ static bool run_uid_regression_test(int dummy) goto out; } - /* Now try a SMBtdis with the invald vuid set to zero. */ + /* Now try a SMBtdis with the invalid vuid set to zero. */ cli_state_set_uid(cli, 0); /* This should succeed. */ -- 2.18.1 From 38f537c434ea1acaff5d81a663e96d77f9dbb686 Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Sun, 17 Mar 2019 16:20:47 +0100 Subject: [PATCH 2/3] regfio: Use correct function names in debug information Signed-off-by: Michael Hanselmann --- source3/registry/regfio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index 7e323da9dab..ebc586c50be 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -305,7 +305,7 @@ static bool prs_hbin_block( const char *desc, prs_struct *ps, int depth, REGF_HB { uint32_t block_size2; - prs_debug(ps, depth, desc, "prs_regf_block"); + prs_debug(ps, depth, desc, "prs_hbin_block"); depth++; if ( !prs_uint8s( True, "header", ps, depth, (uint8_t*)hbin->header, sizeof( hbin->header )) ) @@ -1019,7 +1019,7 @@ static bool hbin_prs_key( REGF_FILE *file, REGF_HBIN *hbin, REGF_NK_REC *nk ) int depth = 0; REGF_HBIN *sub_hbin; - prs_debug(&hbin->ps, depth, "", "fetch_key"); + prs_debug(&hbin->ps, depth, "", "prs_key"); depth++; /* get the initial nk record */ @@ -1238,7 +1238,7 @@ out: ZERO_STRUCTP( rb ); rb->fd = -1; - if ( !(rb->mem_ctx = talloc_init( "read_regf_block" )) ) { + if ( !(rb->mem_ctx = talloc_init( "regfio_open" )) ) { regfio_close( rb ); return NULL; } -- 2.18.1 From 4bb3dd70d20778a286c500a1e248ab828c216fcb Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Sun, 17 Mar 2019 13:49:20 +0100 Subject: [PATCH 3/3] Improve handling of malformed registry hive files Identified using ASAN: Supplying a malformed registry hive file to the registry hive I/O code can lead to out-of-bounds reads. Signed-off-by: Michael Hanselmann --- source3/registry/regfio.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index ebc586c50be..33b24489e97 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -1132,6 +1132,10 @@ static bool next_record( REGF_HBIN *hbin, const char *hdr, bool *eob ) record_size = (record_size ^ 0xffffffff) + 1; } + if ( record_size < sizeof(REC_HDR_SIZE) ) { + return False; + } + if ( memcmp( header, hdr, REC_HDR_SIZE ) == 0 ) { found = True; curr_off += sizeof(uint32_t); @@ -1433,7 +1437,8 @@ REGF_NK_REC* regfio_rootkey( REGF_FILE *file ) /* see if there is anything left to report */ - if ( !nk || (nk->subkeys_off==REGF_OFFSET_NONE) || (nk->subkey_index >= nk->num_subkeys) ) + if ( !nk || !nk->subkeys.hashes || nk->subkey_index >= nk->subkeys.num_keys || + (nk->subkeys_off==REGF_OFFSET_NONE) || (nk->subkey_index >= nk->num_subkeys) ) return NULL; /* find the HBIN block which should contain the nk record */ -- 2.18.1