The Samba-Bugzilla – Attachment 14951 Details for
Bug 13840
Read out of bounds in binary registry file parsing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The Gitlab patch Andrew meant to attach
304.patch (text/plain), 4.12 KB, created by
Douglas Bagnall
on 2019-03-19 21:59:41 UTC
(
hide
)
Description:
The Gitlab patch Andrew meant to attach
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2019-03-19 21:59:41 UTC
Size:
4.12 KB
patch
obsolete
>From fbb40d4b80a6e12f0f327a13d4f1fbf9110f0f2c Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Sun, 17 Mar 2019 13:04:52 +0100 >Subject: [PATCH 1/3] Fix typos in "valid" > >s/vald/valid/ > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >--- > source3/registry/regfio.c | 2 +- > source3/torture/torture.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c >index 9bb89ff11d4..7e323da9dab 100644 >--- a/source3/registry/regfio.c >+++ b/source3/registry/regfio.c >@@ -178,7 +178,7 @@ static int read_block( REGF_FILE *file, prs_struct *ps, uint32_t file_offset, ui > return False; > } > if ( (returned == 0) && (bytes_read < block_size) ) { >- DEBUG(0,("read_block: not a vald registry file ?\n" )); >+ DEBUG(0,("read_block: not a valid registry file ?\n" )); > return False; > } > >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index ac10de2fdcc..66796255912 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -9651,7 +9651,7 @@ static bool run_uid_regression_test(int dummy) > goto out; > } > >- /* Now try a SMBtdis with the invald vuid set to zero. */ >+ /* Now try a SMBtdis with the invalid vuid set to zero. */ > cli_state_set_uid(cli, 0); > > /* This should succeed. */ >-- >2.18.1 > > >From 38f537c434ea1acaff5d81a663e96d77f9dbb686 Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Sun, 17 Mar 2019 16:20:47 +0100 >Subject: [PATCH 2/3] regfio: Use correct function names in debug information > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >--- > source3/registry/regfio.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c >index 7e323da9dab..ebc586c50be 100644 >--- a/source3/registry/regfio.c >+++ b/source3/registry/regfio.c >@@ -305,7 +305,7 @@ static bool prs_hbin_block( const char *desc, prs_struct *ps, int depth, REGF_HB > { > uint32_t block_size2; > >- prs_debug(ps, depth, desc, "prs_regf_block"); >+ prs_debug(ps, depth, desc, "prs_hbin_block"); > depth++; > > if ( !prs_uint8s( True, "header", ps, depth, (uint8_t*)hbin->header, sizeof( hbin->header )) ) >@@ -1019,7 +1019,7 @@ static bool hbin_prs_key( REGF_FILE *file, REGF_HBIN *hbin, REGF_NK_REC *nk ) > int depth = 0; > REGF_HBIN *sub_hbin; > >- prs_debug(&hbin->ps, depth, "", "fetch_key"); >+ prs_debug(&hbin->ps, depth, "", "prs_key"); > depth++; > > /* get the initial nk record */ >@@ -1238,7 +1238,7 @@ out: > ZERO_STRUCTP( rb ); > rb->fd = -1; > >- if ( !(rb->mem_ctx = talloc_init( "read_regf_block" )) ) { >+ if ( !(rb->mem_ctx = talloc_init( "regfio_open" )) ) { > regfio_close( rb ); > return NULL; > } >-- >2.18.1 > > >From 4bb3dd70d20778a286c500a1e248ab828c216fcb Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Sun, 17 Mar 2019 13:49:20 +0100 >Subject: [PATCH 3/3] Improve handling of malformed registry hive files > >Identified using ASAN: Supplying a malformed registry hive file to the >registry hive I/O code can lead to out-of-bounds reads. > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >--- > source3/registry/regfio.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c >index ebc586c50be..33b24489e97 100644 >--- a/source3/registry/regfio.c >+++ b/source3/registry/regfio.c >@@ -1132,6 +1132,10 @@ static bool next_record( REGF_HBIN *hbin, const char *hdr, bool *eob ) > record_size = (record_size ^ 0xffffffff) + 1; > } > >+ if ( record_size < sizeof(REC_HDR_SIZE) ) { >+ return False; >+ } >+ > if ( memcmp( header, hdr, REC_HDR_SIZE ) == 0 ) { > found = True; > curr_off += sizeof(uint32_t); >@@ -1433,7 +1437,8 @@ REGF_NK_REC* regfio_rootkey( REGF_FILE *file ) > > /* see if there is anything left to report */ > >- if ( !nk || (nk->subkeys_off==REGF_OFFSET_NONE) || (nk->subkey_index >= nk->num_subkeys) ) >+ if ( !nk || !nk->subkeys.hashes || nk->subkey_index >= nk->subkeys.num_keys || >+ (nk->subkeys_off==REGF_OFFSET_NONE) || (nk->subkey_index >= nk->num_subkeys) ) > return NULL; > > /* find the HBIN block which should contain the nk record */ >-- >2.18.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13840
:
14935
|
14951
|
14982
|
15161
|
15219