Bug 7607 - Buffer over-read in pidl generated client code
Buffer over-read in pidl generated client code
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: DCE-RPCs and pipes
3.5.4
Other Linux
: P3 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-06 07:39 UTC by Andreas Schneider
Modified: 2010-08-16 00:23 UTC (History)
0 users

See Also:


Attachments
Samba3/ClientNDR - Correctly copy arrays, if r.out.size < r.in.size. (4.17 KB, patch)
2010-08-06 07:40 UTC, Andreas Schneider
no flags Details
Patch for v3-5 (13.79 KB, patch)
2010-08-09 04:37 UTC, Stefan Metzmacher
gd: review+
Details
Patch for v3-4 (7.34 KB, patch)
2010-08-09 04:41 UTC, Stefan Metzmacher
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2010-08-06 07:39:03 UTC
valgrind revealed a buffer underwrite in the autogenerated pidl client code.

==4996== Invalid read of size 1
==4996==    at 0x4C278C0: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4996==    by 0x98648A: rpccli_winreg_EnumValue (cli_winreg.c:1755)
==4996==    by 0x786E00: winreg_printer_enumvalues (srv_spoolss_util.c:462)
==4996==    by 0x78D07D: winreg_enum_printer_dataex (srv_spoolss_util.c:2773)
==4996==    by 0x784D00: _spoolss_EnumPrinterDataEx (srv_spoolss_nt.c:8956)
==4996==    by 0x7A0EF6: api_spoolss_EnumPrinterDataEx (srv_spoolss.c:5777)
==4996==    by 0x7DCB9E: api_rpcTNP (srv_pipe.c:1600)
==4996==    by 0x7DC616: api_pipe_request (srv_pipe.c:1533)
==4996==    by 0x7DD7C0: process_request_pdu (srv_pipe.c:1790)
==4996==    by 0x7DDC72: process_complete_pdu (srv_pipe.c:1847)
==4996==    by 0x7DEE1F: process_incoming_data (srv_pipe_hnd.c:213)
==4996==    by 0x7DEFB5: write_to_internal_pipe (srv_pipe_hnd.c:239)
==4996==    by 0x7E0685: np_write_send (srv_pipe_hnd.c:658)
==4996==    by 0x4DA85E: api_dcerpc_cmd (ipc.c:268)
==4996==    by 0x4DB7E6: api_fd_reply (ipc.c:478)
==4996==    by 0x4DBB18: named_pipe (ipc.c:533)
==4996==    by 0x4DBF24: handle_trans (ipc.c:590)
==4996==    by 0x4DCC79: reply_trans (ipc.c:775)
==4996==    by 0x575E36: switch_message (process.c:1549)
==4996==    by 0x575FC9: construct_reply (process.c:1584)
==4996==    by 0x576398: process_smb (process.c:1663)
==4996==    by 0x577EBE: smbd_server_connection_read_handler (process.c:2320)
==4996==    by 0x577F32: smbd_server_connection_handler (process.c:2335)
==4996==    by 0x8B334B: run_events (events.c:128)
==4996==    by 0x57515B: smbd_server_connection_loop_once (process.c:989)
==4996==    by 0x57B2ED: smbd_process (process.c:3144)
==4996==    by 0xD912CA: smbd_accept_connection (server.c:437)
==4996==    by 0x8B334B: run_events (events.c:128)
==4996==    by 0x8B3698: s3_event_loop_once (events.c:191)
==4996==    by 0x8B48F3: _tevent_loop_once (tevent.c:494)
==4996==    by 0xD920BD: smbd_parent_loop (server.c:732)
==4996==    by 0xD9333E: main (server.c:1153)
==4996==  Address 0x9c4161e is 1 bytes after a block of size 93 alloc'd
==4996==    at 0x4C26C3A: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4996==    by 0xD93F9A: __talloc (talloc.c:405)
==4996==    by 0xD942F9: _talloc_named_const (talloc.c:516)
==4996==    by 0xD96DAA: _talloc_array (talloc.c:1864)
==4996==    by 0xB10ADC: ndr_pull_winreg_EnumValue (ndr_winreg.c:1716)
==4996==    by 0x7E22E1: internal_ndr_pull (rpc_ncacn_np_internal.c:243)
==4996==    by 0x7E24C9: rpc_pipe_internal_dispatch (rpc_ncacn_np_internal.c:297)
==4996==    by 0x9863CA: rpccli_winreg_EnumValue (cli_winreg.c:1735)
==4996==    by 0x786E00: winreg_printer_enumvalues (srv_spoolss_util.c:462)
==4996==    by 0x78D07D: winreg_enum_printer_dataex (srv_spoolss_util.c:2773)
==4996==    by 0x784D00: _spoolss_EnumPrinterDataEx (srv_spoolss_nt.c:8956)
==4996==    by 0x7A0EF6: api_spoolss_EnumPrinterDataEx (srv_spoolss.c:5777)
==4996==    by 0x7DCB9E: api_rpcTNP (srv_pipe.c:1600)
==4996==    by 0x7DC616: api_pipe_request (srv_pipe.c:1533)
==4996==    by 0x7DD7C0: process_request_pdu (srv_pipe.c:1790)
==4996==    by 0x7DDC72: process_complete_pdu (srv_pipe.c:1847)
==4996==    by 0x7DEE1F: process_incoming_data (srv_pipe_hnd.c:213)
==4996==    by 0x7DEFB5: write_to_internal_pipe (srv_pipe_hnd.c:239)
==4996==    by 0x7E0685: np_write_send (srv_pipe_hnd.c:658)
==4996==    by 0x4DA85E: api_dcerpc_cmd (ipc.c:268)
==4996==    by 0x4DB7E6: api_fd_reply (ipc.c:478)
==4996==    by 0x4DBB18: named_pipe (ipc.c:533)
==4996==    by 0x4DBF24: handle_trans (ipc.c:590)
==4996==    by 0x4DCC79: reply_trans (ipc.c:775)
==4996==    by 0x575E36: switch_message (process.c:1549)
==4996==    by 0x575FC9: construct_reply (process.c:1584)
==4996==    by 0x576398: process_smb (process.c:1663)
==4996==    by 0x577EBE: smbd_server_connection_read_handler (process.c:2320)
==4996==    by 0x577F32: smbd_server_connection_handler (process.c:2335)
==4996==    by 0x8B334B: run_events (events.c:128)
==4996==    by 0x57515B: smbd_server_connection_loop_once (process.c:989)
==4996==    by 0x57B2ED: smbd_process (process.c:3144)
==4996==    by 0xD912CA: smbd_accept_connection (server.c:437)
==4996==    by 0x8B334B: run_events (events.c:128)
==4996==    by 0x8B3698: s3_event_loop_once (events.c:191)
==4996==    by 0x8B48F3: _tevent_loop_once (tevent.c:494)
==4996==    by 0xD920BD: smbd_parent_loop (server.c:732)
==4996==    by 0xD9333E: main (server.c:1153)

The problem was if the buffer the developer provided to the function was bigger then the result then the result and the memory after it was copied to the buffer.

The following patch fixes the problem and should be pushed to v3-4 and v3-5.
Comment 1 Andreas Schneider 2010-08-06 07:40:22 UTC
Created attachment 5885 [details]
Samba3/ClientNDR - Correctly copy arrays, if r.out.size < r.in.size.

The patch is from metze and looks fine. I've tested it several times here.
Comment 2 Andreas Schneider 2010-08-06 07:42:44 UTC
Metze, the patch doesn't apply to v3-5-test. Could you please provide patches for v3-4-test and v3-5-test
Comment 3 Stefan Metzmacher 2010-08-09 04:37:16 UTC
Created attachment 5889 [details]
Patch for v3-5
Comment 4 Stefan Metzmacher 2010-08-09 04:41:08 UTC
Created attachment 5890 [details]
Patch for v3-4
Comment 5 Guenther Deschner 2010-08-13 09:58:10 UTC
Comment on attachment 5889 [details]
Patch for v3-5

looks good
Comment 6 Guenther Deschner 2010-08-13 09:58:28 UTC
Comment on attachment 5890 [details]
Patch for v3-4

looks good
Comment 7 Guenther Deschner 2010-08-13 09:58:54 UTC
Karolin, please proceed.
Comment 8 Karolin Seeger 2010-08-16 00:23:49 UTC
Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!