Author: jra Date: 2006-03-10 18:32:18 +0000 (Fri, 10 Mar 2006) New Revision: 14170
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14170 Log: Paranioa fix for sesssetup. Fix Coverity bug #26. Guard against NULL ref. Jeremy. Modified: branches/SAMBA_3_0/source/libads/krb5_setpw.c branches/SAMBA_3_0/source/smbd/sesssetup.c Changeset: Modified: branches/SAMBA_3_0/source/libads/krb5_setpw.c =================================================================== --- branches/SAMBA_3_0/source/libads/krb5_setpw.c 2006-03-10 17:52:52 UTC (rev 14169) +++ branches/SAMBA_3_0/source/libads/krb5_setpw.c 2006-03-10 18:32:18 UTC (rev 14170) @@ -65,19 +65,22 @@ princ = SMB_STRDUP(principal); if ((c = strchr_m(princ, '/')) == NULL) { - c = princ; + c = princ; } else { - *c = '\0'; - c++; - princ_part1 = princ; + *c = '\0'; + c++; + princ_part1 = princ; } princ_part2 = c; if ((c = strchr_m(c, '@')) != NULL) { - *c = '\0'; - c++; - realm = c; + *c = '\0'; + c++; + realm = c; + } else { + /* We must have a realm component. */ + return data_blob(NULL, 0); } memset(&req, 0, sizeof(req)); @@ -97,8 +100,9 @@ asn1_push_tag(&req, ASN1_CONTEXT(1)); asn1_push_tag(&req, ASN1_SEQUENCE(0)); - if (princ_part1) - asn1_write_GeneralString(&req, princ_part1); + if (princ_part1) { + asn1_write_GeneralString(&req, princ_part1); + } asn1_write_GeneralString(&req, princ_part2); asn1_pop_tag(&req); @@ -151,6 +155,10 @@ else return EINVAL; + if (setpw.data == NULL || setpw.length == 0) { + return EINVAL; + } + encoded_setpw.data = (char *)setpw.data; encoded_setpw.length = setpw.length; Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c =================================================================== --- branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-03-10 17:52:52 UTC (rev 14169) +++ branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-03-10 18:32:18 UTC (rev 14170) @@ -1079,6 +1079,11 @@ return ERROR_NT(nt_status_squash(nt_status)); } + /* Ensure we can't possible take a code path leading to a null defref. */ + if (!server_info) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + nt_status = create_local_token(server_info); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(10, ("create_local_token failed: %s\n",