Created attachment 9049 [details] patch files in diff -u format (CentOS 6.4) as a single zip file Hello All, In reviewing various files in Samba-4.0.7, I found a number of instances where malloc()/calloc() were called without the checking the return value for a value of NULL, which would indicate failure. In directory 'samba-4.0.7/source4/heimdal/lib/hx509', file 'ks_keychain.c', the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- ks_keychain.c.orig 2013-07-14 14:41:41.012091252 -0700 +++ ks_keychain.c 2013-07-14 14:42:43.466087739 -0700 @@ -291,6 +291,9 @@ kc->keysize = (size + 7) / 8; data = malloc(kc->keysize); + if (data == NULL) + _hx509_abort("out of memory"); + memset(data, 0xe0, kc->keysize); BN_bin2bn(data, kc->keysize, rsa->n); free(data); In directory 'samba-4.0.7/source4/heimdal/lib/hx509', file 'ks_p11.c', the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- ks_p11.c.orig 2013-07-14 14:47:14.507092286 -0700 +++ ks_p11.c 2013-07-14 14:48:14.120088906 -0700 @@ -583,6 +583,8 @@ return NULL; query.pValue = malloc(query.ulValueLen); + if (query.pValue == NULL) + return NULL; ret = P11FUNC(p, GetAttributeValue, (session, object, &query, 1)); In directory 'samba-4.0.7/source4/heimdal/lib/hx509', file 'name.c', the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- name.c.orig 2013-07-14 14:50:48.670087754 -0700 +++ name.c 2013-07-14 14:52:26.643087647 -0700 @@ -384,6 +384,8 @@ for (i = 0; i < 4; i++) { *rlen = *rlen * 2; *rname = malloc(*rlen * sizeof((*rname)[0])); + if (*rname == NULL) + return ENOMEM; ret = wind_stringprep(name, len, *rname, rlen, flags); if (ret == WIND_ERR_OVERRUN) { In directory 'samba-4.0.7/source4/heimdal/lib/ntlm', file 'ntml.c', the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- ntlm.c.orig 2013-07-14 14:58:46.986090050 -0700 +++ ntlm.c 2013-07-14 15:01:34.980091145 -0700 @@ -329,6 +329,8 @@ krb5_error_code ret; buf->data = malloc(desc->length); + if (buf->data == NULL) + return ENOMEM; buf->length = desc->length; CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset); CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length); In directory 'samba-4.0.7/source4/heimdal/lib/roken', file 'resolve.c', the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- resolve.c.orig 2013-07-14 15:08:18.476089589 -0700 +++ resolve.c 2013-07-14 15:10:09.287089831 -0700 @@ -787,6 +787,11 @@ len = strnlen(pRec->Data.TXT.pStringArray[0], DNS_MAX_TEXT_STRING_LENGTH); rr->u.txt = (char *)malloc(len + 1); + if (rr->u.txt == NULL) { + dns_free_rr(rr); + return NULL; + } + strcpy_s(rr->u.txt, len + 1, pRec->Data.TXT.pStringArray[0]); break; In directory 'samba-4.0.7/source4/kdc', file 'db-glue.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- db-glue.c.orig 2013-07-14 15:23:16.237088175 -0700 +++ db-glue.c 2013-07-14 15:25:02.984089496 -0700 @@ -993,6 +993,10 @@ } entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); + if (entry_ex->entry.principal == NULL) { + ret = ENOMEM; + goto out; + } ret = copy_Principal(principal, entry_ex->entry.principal); if (ret) { In directory 'samba-4.0.7/source4/torture/nbench', file 'db-glue.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- nbio.c.orig 2013-07-14 15:29:13.643088070 -0700 +++ nbio.c 2013-07-14 15:32:46.508086978 -0700 @@ -550,6 +550,11 @@ return true; buf = malloc(size); + if (buf == NULL) { + perror("nb_writex: malloc"); + nb_exit(1); + } + memset(buf, 0xab, size); io.writex.level = RAW_WRITE_WRITEX; @@ -591,6 +596,10 @@ return true; buf = malloc(size); + if (buf == NULL) { + perror("nb_write: malloc"); + nb_exit(1); + } memset(buf, 0x12, size); @@ -716,6 +725,10 @@ return true; buf = malloc(size); + if (buf == NULL) { + perror("nb_readx: malloc"); + nb_exit(1); + } io.readx.level = RAW_READ_READX; io.readx.in.file.fnum = i; In directory 'samba-4.0.7/testprogs/win32/npecho', file 'npecho_client.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- npecho_client.c.orig 2013-07-14 18:32:59.044081832 -0700 +++ npecho_client.c 2013-07-14 18:34:23.584072024 -0700 @@ -14,6 +14,10 @@ HANDLE h; DWORD numread = 0; char *outbuffer = malloc(strlen(ECHODATA)); + if (*outbuffer == NULL) { + printf("Unable to allocate memory for *outbuffer...exiting...\n"); + return -1; + } if (argc == 1) { printf("Usage: %s pipename\n", argv[0]); In directory 'samba-4.0.7/testprogs/win32/npecho', file 'npecho_client2.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- npecho_client2.c.orig 2013-07-14 18:38:32.164078584 -0700 +++ npecho_client2.c 2013-07-14 18:39:16.800082783 -0700 @@ -19,6 +19,11 @@ DWORD state = 0; DWORD flags = 0; + if (*outbuffer == NULL) { + printf("Unable to allocate memory for outbuffer...exiting...\n"); + return -1; + } + if (argc == 1) { goto usage; } else if (argc >= 3) { In directory 'samba-4.0.7/testprogs/win32/npecho', file 'npecho_server2.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- npecho_server2.c.orig 2013-07-14 18:40:31.872081066 -0700 +++ npecho_server2.c 2013-07-14 18:41:50.341080091 -0700 @@ -18,6 +18,11 @@ BOOL msgmode = FALSE; DWORD type = 0; + if (*outbuffer == NULL) { + printf("Unable to allocate memory for outbuffer...exiting...\n"); + return -1; + } + if (argc == 1) { goto usage; } else if (argc >= 3) { In directory 'samba-4.0.7/testsuite/smbd', file 'se_access_check_utils.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- se_access_check_utils.c.orig 2013-07-14 18:58:50.461080529 -0700 +++ se_access_check_utils.c 2013-07-14 19:01:02.807083872 -0700 @@ -141,6 +141,11 @@ ngroups = getgroups(0, NULL); groups = malloc(sizeof(gid_t) * ngroups); + if (groups == NULL) { + printf("Unable to allocate memory in visit_pwdb...\n"); + exit(1); + } + getgroups(ngroups, groups); /* Call function */ In directory 'samba-4.0.7/testsuite/smbd', file 'sec_ctx_groups.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- sec_ctx_groups.c.orig 2013-07-14 19:06:47.279082313 -0700 +++ sec_ctx_groups.c 2013-07-14 19:10:19.177081169 -0700 @@ -33,6 +33,11 @@ initial_ngroups = sys_getgroups(0, NULL); initial_groups = malloc(sizeof(gid_t) * initial_ngroups); + if (initial_groups == NULL) { + printf("FAIL: unable to allocate memory for initial_groups\n"); + return 1; + } + sys_getgroups(initial_ngroups, initial_groups); printf("Initial groups are: "); @@ -62,6 +67,11 @@ check_ngroups = sys_getgroups(0, NULL); check_groups = malloc(sizeof(gid_t) * check_ngroups); + if (check_groups == NULL) { + printf("FAIL: unable to allocate memory for check_groups\n"); + return 1; + } + sys_getgroups(check_ngroups, check_groups); printf("Actual groups are: "); @@ -94,6 +104,11 @@ final_ngroups = sys_getgroups(0, NULL); final_groups = malloc(sizeof(gid_t) * final_ngroups); + if (final_groups == NULL) { + printf("FAIL: unable to allocate memory for final_groups\n"); + return 1; + } + sys_getgroups(final_ngroups, final_groups); printf("Final groups are: "); In directory 'samba-4.0.7/testsuite/smbd', file 'sec_ctx_utils.c' the following patch file(s) make the required checks for the return value from calls to malloc(), though in some cases, a(n) error message to stderr might be appropriate: Here is the patch file: --- sec_ctx_utils.c.orig 2013-07-14 19:13:47.758080843 -0700 +++ sec_ctx_utils.c 2013-07-14 19:15:24.681077604 -0700 @@ -52,6 +52,10 @@ actual_ngroups = getgroups(0, NULL); actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t)); + if (actual_groups == NULL) { + printf("FAIL: malloc actual groups\n"); + return False; + } getgroups(actual_ngroups, actual_groups); Archive: more-samba-patches.zip Length Date Time Name --------- ---------- ----- ---- 345 07-14-2013 14:45 ks_keychain.c.patch 311 07-14-2013 14:49 ks_p11.c.patch 354 07-14-2013 14:53 name.c.patch 409 07-14-2013 15:02 ntlm.c.patch 394 07-14-2013 15:10 resolve.c.patch 368 07-14-2013 15:27 db-glue.c.patch 687 07-14-2013 15:37 nbio.c.patch 396 07-14-2013 18:36 npecho_client.c.patch 355 07-15-2013 07:41 npecho_client2.c.patch 359 07-14-2013 18:42 npecho_server2.c.patch 395 07-14-2013 19:05 se_access_check_utils.c.patch 1119 07-14-2013 19:12 sec_ctx_groups.c.patch 387 07-15-2013 07:43 sec_ctx_utils.c.patch --------- ------- 5879 13 files I am attaching the patch file(s) to this email. Bill Parker (wp02855 at gmail dot com)