Bug 10022 - Subj: Lack of Sanity Checking in calls to malloc()/calloc()
Subj: Lack of Sanity Checking in calls to malloc()/calloc()
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: Other
4.0.7
All All
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-15 16:45 UTC by Bill Parker
Modified: 2013-07-15 16:45 UTC (History)
0 users

See Also:


Attachments
patch files in diff -u format (CentOS 6.4) as a single zip file (5.37 KB, application/octet-stream)
2013-07-15 16:45 UTC, Bill Parker
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Parker 2013-07-15 16:45:27 UTC
Created attachment 9049 [details]
patch files in diff -u format (CentOS 6.4) as a single zip file

Hello All,

	In reviewing various files in Samba-4.0.7, I found a number
of instances where malloc()/calloc() were called without the
checking the return value for a value of NULL, which would
indicate failure.

In directory 'samba-4.0.7/source4/heimdal/lib/hx509',
file 'ks_keychain.c', the following patch file(s) make
the required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- ks_keychain.c.orig  2013-07-14 14:41:41.012091252 -0700
+++ ks_keychain.c       2013-07-14 14:42:43.466087739 -0700
@@ -291,6 +291,9 @@
        kc->keysize = (size + 7) / 8;
 
        data = malloc(kc->keysize);
+       if (data == NULL)
+           _hx509_abort("out of memory");
+
        memset(data, 0xe0, kc->keysize);
        BN_bin2bn(data, kc->keysize, rsa->n);
        free(data);
		
In directory 'samba-4.0.7/source4/heimdal/lib/hx509',
file 'ks_p11.c', the following patch file(s) make the
required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- ks_p11.c.orig       2013-07-14 14:47:14.507092286 -0700
+++ ks_p11.c    2013-07-14 14:48:14.120088906 -0700
@@ -583,6 +583,8 @@
        return NULL;
 
     query.pValue = malloc(query.ulValueLen);
+    if (query.pValue == NULL)
+       return NULL;
 
     ret = P11FUNC(p, GetAttributeValue,
                  (session, object, &query, 1));
				  
In directory 'samba-4.0.7/source4/heimdal/lib/hx509',
file 'name.c', the following patch file(s) make the
required checks for the return value from calls to
malloc(), though in some cases, a(n) error message
to stderr might be appropriate:

Here is the patch file:

--- name.c.orig 2013-07-14 14:50:48.670087754 -0700
+++ name.c      2013-07-14 14:52:26.643087647 -0700
@@ -384,6 +384,8 @@
     for (i = 0; i < 4; i++) {
        *rlen = *rlen * 2;
        *rname = malloc(*rlen * sizeof((*rname)[0]));
+       if (*rname == NULL)
+           return ENOMEM;
 
        ret = wind_stringprep(name, len, *rname, rlen, flags);
        if (ret == WIND_ERR_OVERRUN) {

In directory 'samba-4.0.7/source4/heimdal/lib/ntlm',
file 'ntml.c', the following patch file(s) make the
required checks for the return value from calls to
malloc(), though in some cases, a(n) error message
to stderr might be appropriate:

Here is the patch file:

--- ntlm.c.orig 2013-07-14 14:58:46.986090050 -0700
+++ ntlm.c      2013-07-14 15:01:34.980091145 -0700
@@ -329,6 +329,8 @@
     krb5_error_code ret;
 
     buf->data = malloc(desc->length);
+    if (buf->data == NULL)
+       return ENOMEM;
     buf->length = desc->length;
     CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
     CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length);
	 
In directory 'samba-4.0.7/source4/heimdal/lib/roken',
file 'resolve.c', the following patch file(s) make the
required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- resolve.c.orig      2013-07-14 15:08:18.476089589 -0700
+++ resolve.c   2013-07-14 15:10:09.287089831 -0700
@@ -787,6 +787,11 @@
        len = strnlen(pRec->Data.TXT.pStringArray[0], DNS_MAX_TEXT_STRING_LENGTH);
 
        rr->u.txt = (char *)malloc(len + 1);
+       if (rr->u.txt == NULL) {
+           dns_free_rr(rr);
+           return NULL;
+       }
+
        strcpy_s(rr->u.txt, len + 1, pRec->Data.TXT.pStringArray[0]);
 
        break;
		
In directory 'samba-4.0.7/source4/kdc', file 'db-glue.c'
the following patch file(s) make the required checks for
the return value from calls to malloc(), though in some
cases, a(n) error message to stderr might be appropriate:

Here is the patch file:

--- db-glue.c.orig      2013-07-14 15:23:16.237088175 -0700
+++ db-glue.c   2013-07-14 15:25:02.984089496 -0700
@@ -993,6 +993,10 @@
        }
 
        entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
+       if (entry_ex->entry.principal == NULL) {
+           ret = ENOMEM;
+           goto out;
+       }
 
        ret = copy_Principal(principal, entry_ex->entry.principal);
        if (ret) {

In directory 'samba-4.0.7/source4/torture/nbench',
file 'db-glue.c' the following patch file(s) make
the required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- nbio.c.orig 2013-07-14 15:29:13.643088070 -0700
+++ nbio.c      2013-07-14 15:32:46.508086978 -0700
@@ -550,6 +550,11 @@
                return true;
 
        buf = malloc(size);
+       if (buf == NULL) {
+           perror("nb_writex: malloc");
+           nb_exit(1);
+       }
+
        memset(buf, 0xab, size);
 
        io.writex.level = RAW_WRITE_WRITEX;
@@ -591,6 +596,10 @@
                return true;
 
        buf = malloc(size);
+       if (buf == NULL) {
+           perror("nb_write: malloc");
+           nb_exit(1);
+        }
 
        memset(buf, 0x12, size);
 
@@ -716,6 +725,10 @@
                return true;
 
        buf = malloc(size);
+       if (buf == NULL) {
+           perror("nb_readx: malloc");
+           nb_exit(1);
+       }
 
        io.readx.level = RAW_READ_READX;
        io.readx.in.file.fnum = i;

In directory 'samba-4.0.7/testprogs/win32/npecho',
file 'npecho_client.c' the following patch file(s) make
the required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- npecho_client.c.orig        2013-07-14 18:32:59.044081832 -0700
+++ npecho_client.c     2013-07-14 18:34:23.584072024 -0700
@@ -14,6 +14,10 @@
        HANDLE h;
        DWORD numread = 0;
        char *outbuffer = malloc(strlen(ECHODATA));
+       if (*outbuffer == NULL) {
+               printf("Unable to allocate memory for *outbuffer...exiting...\n");
+               return -1;
+       }
 
        if (argc == 1) {
                printf("Usage: %s pipename\n", argv[0]);

In directory 'samba-4.0.7/testprogs/win32/npecho',
file 'npecho_client2.c' the following patch file(s) make
the required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- npecho_client2.c.orig       2013-07-14 18:38:32.164078584 -0700
+++ npecho_client2.c    2013-07-14 18:39:16.800082783 -0700
@@ -19,6 +19,11 @@
        DWORD state = 0;
        DWORD flags = 0;
 
+       if (*outbuffer == NULL) {
+               printf("Unable to allocate memory for outbuffer...exiting...\n");
+               return -1;
+       }
+
        if (argc == 1) {
                goto usage;
        } else if (argc >= 3) {

In directory 'samba-4.0.7/testprogs/win32/npecho',
file 'npecho_server2.c' the following patch file(s) make
the required checks for the return value from calls to
malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- npecho_server2.c.orig       2013-07-14 18:40:31.872081066 -0700
+++ npecho_server2.c    2013-07-14 18:41:50.341080091 -0700
@@ -18,6 +18,11 @@
        BOOL msgmode = FALSE;
        DWORD type = 0;
 
+       if (*outbuffer == NULL) {
+               printf("Unable to allocate memory for outbuffer...exiting...\n");
+               return -1;
+       }
+
        if (argc == 1) {
                goto usage;
        } else if (argc >= 3) {

In directory 'samba-4.0.7/testsuite/smbd', file 'se_access_check_utils.c'
the following patch file(s) make the required checks for the return value
from calls to malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- se_access_check_utils.c.orig        2013-07-14 18:58:50.461080529 -0700
+++ se_access_check_utils.c     2013-07-14 19:01:02.807083872 -0700
@@ -141,6 +141,11 @@
                ngroups = getgroups(0, NULL);
 
                groups = malloc(sizeof(gid_t) * ngroups);
+               if (groups == NULL) {
+                       printf("Unable to allocate memory in visit_pwdb...\n");
+                       exit(1);
+               }
+
                getgroups(ngroups, groups);
 
                /* Call function */

In directory 'samba-4.0.7/testsuite/smbd', file 'sec_ctx_groups.c'
the following patch file(s) make the required checks for the return value
from calls to malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- sec_ctx_groups.c.orig       2013-07-14 19:06:47.279082313 -0700
+++ sec_ctx_groups.c    2013-07-14 19:10:19.177081169 -0700
@@ -33,6 +33,11 @@
 
        initial_ngroups = sys_getgroups(0, NULL);
        initial_groups = malloc(sizeof(gid_t) * initial_ngroups);
+       if (initial_groups == NULL) {
+               printf("FAIL: unable to allocate memory for initial_groups\n");
+               return 1;
+       }
+
        sys_getgroups(initial_ngroups, initial_groups);
 
        printf("Initial groups are: ");
@@ -62,6 +67,11 @@
 
        check_ngroups = sys_getgroups(0, NULL);
        check_groups = malloc(sizeof(gid_t) * check_ngroups);
+       if (check_groups == NULL) {
+               printf("FAIL: unable to allocate memory for check_groups\n");
+               return 1;
+       }
+
        sys_getgroups(check_ngroups, check_groups);
 
        printf("Actual groups are: ");
@@ -94,6 +104,11 @@
 
        final_ngroups = sys_getgroups(0, NULL);
        final_groups = malloc(sizeof(gid_t) * final_ngroups);
+        if (final_groups == NULL) {
+                printf("FAIL: unable to allocate memory for final_groups\n");
+                return 1;
+        }
+
        sys_getgroups(final_ngroups, final_groups);
 
        printf("Final groups are: ");

In directory 'samba-4.0.7/testsuite/smbd', file 'sec_ctx_utils.c'
the following patch file(s) make the required checks for the return value
from calls to malloc(), though in some cases, a(n) error message to
stderr might be appropriate:

Here is the patch file:

--- sec_ctx_utils.c.orig        2013-07-14 19:13:47.758080843 -0700
+++ sec_ctx_utils.c     2013-07-14 19:15:24.681077604 -0700
@@ -52,6 +52,10 @@
 
        actual_ngroups = getgroups(0, NULL);
        actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t));
+       if (actual_groups == NULL) {
+               printf("FAIL: malloc actual groups\n");
+               return False;
+       }
 
        getgroups(actual_ngroups, actual_groups);
 		
Archive:  more-samba-patches.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
      345  07-14-2013 14:45   ks_keychain.c.patch
      311  07-14-2013 14:49   ks_p11.c.patch
      354  07-14-2013 14:53   name.c.patch
      409  07-14-2013 15:02   ntlm.c.patch
      394  07-14-2013 15:10   resolve.c.patch
      368  07-14-2013 15:27   db-glue.c.patch
      687  07-14-2013 15:37   nbio.c.patch
      396  07-14-2013 18:36   npecho_client.c.patch
      355  07-15-2013 07:41   npecho_client2.c.patch
      359  07-14-2013 18:42   npecho_server2.c.patch
      395  07-14-2013 19:05   se_access_check_utils.c.patch
     1119  07-14-2013 19:12   sec_ctx_groups.c.patch
      387  07-15-2013 07:43   sec_ctx_utils.c.patch
---------                     -------
     5879                     13 files
	 
I am attaching the patch file(s) to this email.

Bill Parker (wp02855 at gmail dot com)