The Samba-Bugzilla – Attachment 8588 Details for
Bug 9687
Fix several possible null pointer dereferences
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4-0-test patch
look (text/plain), 7.96 KB, created by
Andreas Schneider
on 2013-02-26 15:21:50 UTC
(
hide
)
Description:
v4-0-test patch
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2013-02-26 15:21:50 UTC
Size:
7.96 KB
patch
obsolete
>From efb360374912c1d8824b9bd6c09016cf42190ecb Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 18 Feb 2013 17:11:15 +0100 >Subject: [PATCH 1/7] libsmb: Fix possible null pointer dereference. > Reviewed-by: Alexander Bokovoy <ab@samba.org> > >--- > source3/libsmb/libsmb_xattr.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c >index 03cdc34..c2ba61f 100644 >--- a/source3/libsmb/libsmb_xattr.c >+++ b/source3/libsmb/libsmb_xattr.c >@@ -351,7 +351,7 @@ parse_ace(struct cli_state *ipc_cli, > goto done; > } > >- for (v = standard_values; v->perm; v++) { >+ for (v = standard_values; v != NULL; v++) { > if (strcmp(tok, v->perm) == 0) { > amask = v->mask; > goto done; >@@ -363,7 +363,7 @@ parse_ace(struct cli_state *ipc_cli, > while(*p) { > bool found = False; > >- for (v = special_values; v->perm; v++) { >+ for (v = special_values; v != NULL; v++) { > if (v->perm[0] == *p) { > amask |= v->mask; > found = True; >-- >1.8.1.4 > > >From 191e9997456e16fa282acb5bef726239cf731a05 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 18 Feb 2013 17:21:31 +0100 >Subject: [PATCH 2/7] nmbd: Fix request data data processing. > >answers->rdata is an array and will never be NULL. >Reviewed-by: Alexander Bokovoy <ab@samba.org> >--- > source3/nmbd/nmbd_browsesync.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/nmbd/nmbd_browsesync.c b/source3/nmbd/nmbd_browsesync.c >index b56baed..03d0ada 100644 >--- a/source3/nmbd/nmbd_browsesync.c >+++ b/source3/nmbd/nmbd_browsesync.c >@@ -194,7 +194,7 @@ static void domain_master_node_status_success(struct subnet_record *subrec, > /* Go through the list of names found at answers->rdata and look for > the first SERVER<0x20> name. */ > >- if(answers->rdata != NULL) { >+ if (answers->rdlength > 0) { > char *p = answers->rdata; > int numnames = CVAL(p, 0); > >@@ -417,7 +417,7 @@ static void get_domain_master_name_node_status_success(struct subnet_record *sub > * the first WORKGROUP<0x1b> name. > */ > >- if(answers->rdata != NULL) { >+ if (answers->rdlength > 0) { > char *p = answers->rdata; > int numnames = CVAL(p, 0); > >-- >1.8.1.4 > > >From 5597a614bc43ee425e96ff99098246942529dd8f Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 18 Feb 2013 17:30:19 +0100 >Subject: [PATCH 3/7] s3-tldap: Make sure we don't deref a null pointer. > Reviewed-by: Alexander Bokovoy <ab@samba.org> > >--- > source3/lib/tldap.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 8b04d00..3782708 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -1370,6 +1370,9 @@ static bool tldap_push_filter_basic(struct tldap_context *ld, > dn++; > > rule = strchr(dn, ':'); >+ if (rule == NULL) { >+ return false; >+ } > if ((rule == dn + 1) || rule + 1 == e) { > /* malformed filter, contains "::" */ > return false; >-- >1.8.1.4 > > >From 1859f662b0078a71350ccbf9a8675f53cd9cb321 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 18 Feb 2013 17:32:28 +0100 >Subject: [PATCH 4/7] librpc: Add NULL check for ndr functions for epm > bindings. > >Reviewed-by: Alexander Bokovoy <ab@samba.org> >--- > librpc/rpc/binding.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c >index f7fbbbc..2fa325f 100644 >--- a/librpc/rpc/binding.c >+++ b/librpc/rpc/binding.c >@@ -424,7 +424,12 @@ _PUBLIC_ NTSTATUS dcerpc_floor_get_lhs_data(const struct epm_floor *epm_floor, > static DATA_BLOB dcerpc_floor_pack_lhs_data(TALLOC_CTX *mem_ctx, const struct ndr_syntax_id *syntax) > { > DATA_BLOB blob; >- struct ndr_push *ndr = ndr_push_init_ctx(mem_ctx); >+ struct ndr_push *ndr; >+ >+ ndr = ndr_push_init_ctx(mem_ctx); >+ if (ndr == NULL) { >+ return data_blob_null; >+ } > > ndr->flags |= LIBNDR_FLAG_NOALIGN; > >-- >1.8.1.4 > > >From 25b160492351b6805da3205b09db183334da1690 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 18 Feb 2013 18:00:38 +0100 >Subject: [PATCH 5/7] s4-libcli: Check return code of smbcli_request_setup(). > Reviewed-by: Alexander Bokovoy <ab@samba.org> > >--- > source4/libcli/raw/rawfsinfo.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source4/libcli/raw/rawfsinfo.c b/source4/libcli/raw/rawfsinfo.c >index 08f68dd..9c03e14 100644 >--- a/source4/libcli/raw/rawfsinfo.c >+++ b/source4/libcli/raw/rawfsinfo.c >@@ -33,6 +33,9 @@ static struct smbcli_request *smb_raw_dskattr_send(struct smbcli_tree *tree, > struct smbcli_request *req; > > req = smbcli_request_setup(tree, SMBdskattr, 0, 0); >+ if (req == NULL) { >+ return NULL; >+ } > > if (!smbcli_request_send(req)) { > smbcli_request_destroy(req); >-- >1.8.1.4 > > >From 93f78fd01ac3c18d8a1fc8cb48075b0db26a4b32 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 19 Feb 2013 08:58:00 +0100 >Subject: [PATCH 6/7] pyauth: Check return value of lpcfg_from_py_object(). > Reviewed-by: Alexander Bokovoy <ab@samba.org> > >--- > source4/auth/pyauth.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c >index f07fa78..437e671 100644 >--- a/source4/auth/pyauth.c >+++ b/source4/auth/pyauth.c >@@ -245,6 +245,10 @@ static PyObject *py_auth_context_new(PyTypeObject *type, PyObject *args, PyObjec > } > > lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); >+ if (lp_ctx == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } > > ev = s4_event_context_init(mem_ctx); > if (ev == NULL) { >-- >1.8.1.4 > > >From 1d845c607fab15b62eb1e21ded54f521b14202a1 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 19 Feb 2013 09:00:51 +0100 >Subject: [PATCH 7/7] s4-libcli: Check return value of smbcli_request_setup(). > Reviewed-by: Alexander Bokovoy <ab@samba.org> > >--- > source4/libcli/climessage.c | 9 +++++++++ > source4/libcli/raw/clioplock.c | 3 +++ > source4/libcli/raw/clitree.c | 3 +++ > 3 files changed, 15 insertions(+) > >diff --git a/source4/libcli/climessage.c b/source4/libcli/climessage.c >index 5ed0e8e..3e9808c 100644 >--- a/source4/libcli/climessage.c >+++ b/source4/libcli/climessage.c >@@ -33,6 +33,9 @@ bool smbcli_message_start(struct smbcli_tree *tree, const char *host, const char > struct smbcli_request *req; > > req = smbcli_request_setup(tree, SMBsendstrt, 0, 0); >+ if (req == NULL) { >+ return false; >+ } > smbcli_req_append_string(req, username, STR_TERMINATE); > smbcli_req_append_string(req, host, STR_TERMINATE); > if (!smbcli_request_send(req) || >@@ -57,6 +60,9 @@ bool smbcli_message_text(struct smbcli_tree *tree, char *msg, int len, int grp) > struct smbcli_request *req; > > req = smbcli_request_setup(tree, SMBsendtxt, 1, 0); >+ if (req == NULL) { >+ return false; >+ } > SSVAL(req->out.vwv, VWV(0), grp); > > smbcli_req_append_bytes(req, (const uint8_t *)msg, len); >@@ -80,6 +86,9 @@ bool smbcli_message_end(struct smbcli_tree *tree, int grp) > struct smbcli_request *req; > > req = smbcli_request_setup(tree, SMBsendend, 1, 0); >+ if (req == NULL) { >+ return false; >+ } > SSVAL(req->out.vwv, VWV(0), grp); > > if (!smbcli_request_send(req) || >diff --git a/source4/libcli/raw/clioplock.c b/source4/libcli/raw/clioplock.c >index 396ab96..6c04843 100644 >--- a/source4/libcli/raw/clioplock.c >+++ b/source4/libcli/raw/clioplock.c >@@ -30,6 +30,9 @@ _PUBLIC_ bool smbcli_oplock_ack(struct smbcli_tree *tree, uint16_t fnum, uint16_ > struct smbcli_request *req; > > req = smbcli_request_setup(tree, SMBlockingX, 8, 0); >+ if (req == NULL) { >+ return false; >+ } > > SSVAL(req->out.vwv,VWV(0),0xFF); > SSVAL(req->out.vwv,VWV(1),0); >diff --git a/source4/libcli/raw/clitree.c b/source4/libcli/raw/clitree.c >index 1c3321e..11be548 100644 >--- a/source4/libcli/raw/clitree.c >+++ b/source4/libcli/raw/clitree.c >@@ -168,6 +168,9 @@ _PUBLIC_ NTSTATUS smb_tree_disconnect(struct smbcli_tree *tree) > > if (!tree) return NT_STATUS_OK; > req = smbcli_request_setup(tree, SMBtdis, 0, 0); >+ if (req == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } > > if (smbcli_request_send(req)) { > (void) smbcli_request_receive(req); >-- >1.8.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8588">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
ab
:
review+
Actions:
View
Attachments on
bug 9687
: 8588