The Samba-Bugzilla – Attachment 2725 Details for
Bug 4637
The security fix for CVE-2007-2446 has broken my Samba domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 3.0.25 backported to 3.0.24
patch-3.0.24 (text/plain), 15.93 KB, created by
SpOeK@DistroBit.Net
on 2007-05-23 12:16:41 UTC
(
hide
)
Description:
Patch for 3.0.25 backported to 3.0.24
Filename:
MIME Type:
Creator:
SpOeK@DistroBit.Net
Created:
2007-05-23 12:16:41 UTC
Size:
15.93 KB
patch
obsolete
>Index: rpc_parse/parse_prs.c >=================================================================== >--- rpc_parse/parse_prs.c (revision 23079) >+++ rpc_parse/parse_prs.c (working copy) >@@ -644,8 +644,12 @@ > return True; > > if (UNMARSHALLING(ps)) { >- if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) ) >- return False; >+ if (data_size) { >+ if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) ) >+ return False; >+ } else { >+ *data = NULL; >+ } > } > > return prs_fn(name, ps, depth, *data); >@@ -1016,16 +1020,16 @@ > if (q == NULL) > return False; > >+ /* If the string is empty, we don't have anything to stream */ >+ if (str->buf_len==0) >+ return True; >+ > if (UNMARSHALLING(ps)) { > str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len); > if (str->buffer == NULL) > return False; > } > >- /* If the string is empty, we don't have anything to stream */ >- if (str->buf_len==0) >- return True; >- > p = (char *)str->buffer; > > dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len); >@@ -1055,6 +1059,8 @@ > buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len); > if ( buf->buffer == NULL ) > return False; >+ } else { >+ buf->buffer = NULL; > } > } > >@@ -1082,9 +1088,13 @@ > if (str->str_str_len > str->str_max_len) { > return False; > } >- str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len); >- if (str->buffer == NULL) >- return False; >+ if (str->str_max_len) { >+ str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len); >+ if (str->buffer == NULL) >+ return False; >+ } else { >+ str->buffer = NULL; >+ } > } > > if (UNMARSHALLING(ps)) { >@@ -1129,9 +1139,13 @@ > if (str->uni_str_len > str->uni_max_len) { > return False; > } >- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len); >- if (str->buffer == NULL) >- return False; >+ if (str->uni_max_len) { >+ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len); >+ if (str->buffer == NULL) >+ return False; >+ } else { >+ str->buffer = NULL; >+ } > } > > p = (char *)str->buffer; >@@ -1156,9 +1170,13 @@ > return False; > > if (UNMARSHALLING(ps)) { >- str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len); >- if (str->str.buffer == NULL) >- return False; >+ if (str->uni_str_len) { >+ str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len); >+ if (str->str.buffer == NULL) >+ return False; >+ } else { >+ str->str.buffer = NULL; >+ } > } > > p = (char *)str->str.buffer; >Index: rpc_parse/parse_srv.c >=================================================================== >--- rpc_parse/parse_srv.c (revision 23078) >+++ rpc_parse/parse_srv.c (working copy) >@@ -783,7 +783,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info0 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_0, num_entries))) > return False; > ctr->share.info0 = info0; >@@ -809,7 +809,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_1, num_entries))) > return False; > ctr->share.info1 = info1; >@@ -835,7 +835,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info2 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_2,num_entries))) > return False; > ctr->share.info2 = info2; >@@ -860,7 +860,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info501 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_501, num_entries))) > return False; > ctr->share.info501 = info501; >@@ -885,7 +885,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info502 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_502,num_entries))) > return False; > ctr->share.info502 = info502; >@@ -911,7 +911,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1004 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1004,num_entries))) > return False; > ctr->share.info1004 = info1004; >@@ -937,7 +937,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1005 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1005,num_entries))) > return False; > ctr->share.info1005 = info1005; >@@ -957,7 +957,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1006 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1006,num_entries))) > return False; > ctr->share.info1006 = info1006; >@@ -977,7 +977,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1007 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1007,num_entries))) > return False; > ctr->share.info1007 = info1007; >@@ -1003,7 +1003,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info1501 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1501,num_entries))) > return False; > ctr->share.info1501 = info1501; >@@ -2466,7 +2466,7 @@ > int num_entries = ctr->num_entries; > int i; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && num_entries) { > if (!(info3 = PRS_ALLOC_MEM(ps, SRV_FILE_INFO_3, num_entries))) > return False; > ctr->file.info3 = info3; >@@ -3246,7 +3246,7 @@ > > r_n->disk_enum_ctr.entries_read = entries_read3; > >- if(UNMARSHALLING(ps)) { >+ if(UNMARSHALLING(ps) && entries_read3) { > > DISK_INFO *dinfo; > >@@ -3255,7 +3255,7 @@ > r_n->disk_enum_ctr.disk_info = dinfo; > } > >- for(i=0; i < r_n->disk_enum_ctr.entries_read; i++) { >+ for(i=0; i < entries_read3; i++) { > > if(!prs_uint32("unknown", ps, depth, &r_n->disk_enum_ctr.disk_info[i].unknown)) > return False; >Index: rpc_parse/parse_lsa.c >=================================================================== >--- rpc_parse/parse_lsa.c (revision 23078) >+++ rpc_parse/parse_lsa.c (working copy) >@@ -1178,7 +1178,7 @@ > > /* Mallocate memory if we're unpacking from the wire */ > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && sen->num_entries) { > if ((sen->ptr_sid = PRS_ALLOC_MEM( ps, uint32, sen->num_entries)) == NULL) { > DEBUG(3, ("init_lsa_sid_enum(): out of memory for " > "ptr_sid\n")); >@@ -1361,7 +1361,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && trn->num_entries2) { > if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) { > return False; > } >@@ -1423,7 +1423,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && trn->num_entries2) { > if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) { > return False; > } >@@ -1700,7 +1700,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && out->num_entries2) { > if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID, out->num_entries2)) > == NULL) { > DEBUG(3, ("lsa_io_r_lookup_names(): out of memory\n")); >@@ -1825,7 +1825,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && out->num_entries2) { > if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID2, out->num_entries2)) > == NULL) { > DEBUG(3, ("lsa_io_r_lookup_names2(): out of memory\n")); >@@ -1978,7 +1978,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && out->num_entries2) { > if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2)) > == NULL) { > DEBUG(3, ("lsa_io_r_lookup_names3(): out of memory\n")); >@@ -2107,7 +2107,7 @@ > return False; > } > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && out->num_entries2) { > if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2)) > == NULL) { > DEBUG(3, ("lsa_io_r_lookup_names4(): out of memory\n")); >@@ -2346,7 +2346,7 @@ > if(!prs_uint32("count1", ps, depth, &out->count1)) > return False; > >- if (UNMARSHALLING(ps)) >+ if (UNMARSHALLING(ps) && out->count1) > if (!(out->privs = PRS_ALLOC_MEM(ps, LSA_PRIV_ENTRY, out->count1))) > return False; > >@@ -3908,7 +3908,7 @@ > prs_debug(ps, depth, desc, "smb_io_lsa_data_buf"); > depth++; > >- if ( UNMARSHALLING(ps) ) { >+ if ( UNMARSHALLING(ps) && length ) { > if ( !(buf->data = PRS_ALLOC_MEM( ps, uint8, length )) ) > return False; > } >@@ -3922,7 +3922,7 @@ > if (!prs_uint32("length", ps, depth, &buf->length)) > return False; > >- if(!prs_uint8s(False, "data", ps, depth, buf->data, size)) >+ if(!prs_uint8s(False, "data", ps, depth, buf->data, length)) > return False; > > return True; >Index: rpc_parse/parse_net.c >=================================================================== >--- rpc_parse/parse_net.c (revision 23078) >+++ rpc_parse/parse_net.c (working copy) >@@ -1729,9 +1729,13 @@ > } > > if (UNMARSHALLING(ps)) { >- usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups); >- if (usr->gids == NULL) >- return False; >+ if (usr->num_groups) { >+ usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups); >+ if (usr->gids == NULL) >+ return False; >+ } else { >+ usr->gids = NULL; >+ } > } > > for (i = 0; i < usr->num_groups; i++) { >@@ -1764,10 +1768,15 @@ > return False; > > if (UNMARSHALLING(ps)) { >- usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids); >- usr->other_sids_attrib = >- PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids); >- >+ if (usr->num_other_sids) { >+ usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids); >+ usr->other_sids_attrib = >+ PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids); >+ } else { >+ usr->other_sids = NULL; >+ usr->other_sids_attrib = NULL; >+ } >+ > if ((num_other_sids != 0) && > ((usr->other_sids == NULL) || > (usr->other_sids_attrib == NULL))) >Index: rpc_parse/parse_spoolss.c >=================================================================== >--- rpc_parse/parse_spoolss.c (revision 23078) >+++ rpc_parse/parse_spoolss.c (working copy) >@@ -256,7 +256,7 @@ > return False; > > /* reading */ >- if (UNMARSHALLING(ps)) >+ if (UNMARSHALLING(ps) && ctr->count) > if((ctr->type=PRS_ALLOC_MEM(ps,SPOOL_NOTIFY_OPTION_TYPE,ctr->count)) == NULL) > return False; > >@@ -415,7 +415,7 @@ > if(!prs_uint32("string length", ps, depth, &data->notify_data.data.length)) > return False; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && data->notify_data.data.length) { > data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, > data->notify_data.data.length); > >@@ -434,7 +434,7 @@ > > case NOTIFY_POINTER: > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && data->notify_data.data.length) { > data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, > data->notify_data.data.length); > >@@ -494,9 +494,13 @@ > > /* Tallocate memory for string */ > >- data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2); >- if (!data->notify_data.data.string) >- return False; >+ if (x) { >+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2); >+ if (!data->notify_data.data.string) >+ return False; >+ } else { >+ data->notify_data.data.string = NULL; >+ } > > if(!prs_uint16uni(True,"string",ps,depth,data->notify_data.data.string,x)) > return False; >@@ -6005,14 +6009,14 @@ > case REG_BINARY: > case REG_DWORD: > case REG_MULTI_SZ: >- if (q_u->max_len) { >- if (UNMARSHALLING(ps)) >- q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len); >- if(q_u->data == NULL) >- return False; >- if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len)) >- return False; >- } >+ if (q_u->max_len) { >+ if (UNMARSHALLING(ps)) >+ q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len); >+ if(q_u->data == NULL) >+ return False; >+ if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len)) >+ return False; >+ } > if(!prs_align(ps)) > return False; > break; >@@ -7035,7 +7039,7 @@ > > /* first loop to write basic enum_value information */ > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && ctr->size_of_array) { > ctr->values = PRS_ALLOC_MEM(ps, PRINTER_ENUM_VALUES, ctr->size_of_array); > if (!ctr->values) > return False; >Index: rpc_parse/parse_samr.c >=================================================================== >--- rpc_parse/parse_samr.c (revision 23078) >+++ rpc_parse/parse_samr.c (working copy) >@@ -3328,7 +3328,7 @@ > if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3)) > return False; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && r_u->num_entries2) { > r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2); > r_u->uni_dom_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2); > } >@@ -3467,7 +3467,7 @@ > if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3)) > return False; > >- if (UNMARSHALLING(ps)) { >+ if (UNMARSHALLING(ps) && r_u->num_entries2) { > r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2); > r_u->uni_grp_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2); > } >@@ -4997,12 +4997,13 @@ > return False; > } > >- if (UNMARSHALLING(ps)) >+ if (UNMARSHALLING(ps) && r_u->num_rids2) { > r_u->rids = PRS_ALLOC_MEM(ps, uint32, r_u->num_rids2); > >- if (!r_u->rids) { >- DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n")); >- return False; >+ if (!r_u->rids) { >+ DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n")); >+ return False; >+ } > } > > for (i = 0; i < r_u->num_rids2; i++) { >@@ -5026,12 +5027,13 @@ > return False; > } > >- if (UNMARSHALLING(ps)) >+ if (UNMARSHALLING(ps) && r_u->num_types2) { > r_u->types = PRS_ALLOC_MEM(ps, uint32, r_u->num_types2); > >- if (!r_u->types) { >- DEBUG(0, ("NULL types in samr_io_r_lookup_names\n")); >- return False; >+ if (!r_u->types) { >+ DEBUG(0, ("NULL types in samr_io_r_lookup_names\n")); >+ return False; >+ } > } > > for (i = 0; i < r_u->num_types2; i++) { >Index: libads/authdata.c >=================================================================== >--- libads/authdata.c (revision 23078) >+++ libads/authdata.c (working copy) >@@ -120,10 +120,14 @@ > return False; > > if (UNMARSHALLING(ps)) { >- array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); >- if (!array->krb_sid_and_attrs) { >- DEBUG(3, ("No memory available\n")); >- return False; >+ if (num) { >+ array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); >+ if (!array->krb_sid_and_attrs) { >+ DEBUG(3, ("No memory available\n")); >+ return False; >+ } >+ } else { >+ array->krb_sid_and_attrs = NULL; > } > } > >@@ -184,10 +188,14 @@ > return False; > > if (UNMARSHALLING(ps)) { >- array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); >- if (!array->group_membership) { >- DEBUG(3, ("No memory available\n")); >- return False; >+ if (num) { >+ array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); >+ if (!array->group_membership) { >+ DEBUG(3, ("No memory available\n")); >+ return False; >+ } >+ } else { >+ array->group_membership = NULL; > } > } > >@@ -456,10 +464,14 @@ > return False; > > if (UNMARSHALLING(ps) && length) { >- data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); >- if (!data->signature.buffer) { >- DEBUG(3, ("No memory available\n")); >- return False; >+ if (siglen) { >+ data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); >+ if (!data->signature.buffer) { >+ DEBUG(3, ("No memory available\n")); >+ return False; >+ } >+ } else { >+ data->signature.buffer = NULL; > } > } > >Index: registry/regfio.c >=================================================================== >--- registry/regfio.c (revision 23078) >+++ registry/regfio.c (working copy) >@@ -642,8 +642,12 @@ > return False; > > if ( UNMARSHALLING(&hbin->ps) ) { >- if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) ) >- return False; >+ if (lf->num_keys) { >+ if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) ) >+ return False; >+ } else { >+ lf->hashes = NULL; >+ } > } > > for ( i=0; i<lf->num_keys; i++ ) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2725">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 4637
:
2706
|
2707
|
2710
|
2711
|
2712
|
2713
|
2722
|
2724
| 2725