The branch, master has been updated via ba53707... libwbclient: wbcFreeMemory deals fine with a NULL pointer via 89bbc41... libwbclient: Fix wbcListGroups against too small num_entries via 6d898b4... libwbclient: Fix wbcListUsers against too small num_entries from 23fd764... s4:winbind: fill response.data.num_entries for WINBINDD_LIST_USERS
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ba537079cff577237b7df50ab15fabb5b0086166 Author: Volker Lendecke <v...@samba.org> Date: Mon Apr 19 15:56:30 2010 +0200 libwbclient: wbcFreeMemory deals fine with a NULL pointer commit 89bbc41d029e2327a9b9a3408c7552ce3e75e855 Author: Volker Lendecke <v...@samba.org> Date: Mon Apr 19 15:50:11 2010 +0200 libwbclient: Fix wbcListGroups against too small num_entries Thanks for the s4 winbind sending 0 here and Tridge to point it out to me :-) commit 6d898b45a381b3a93da4ac2c4e1af0487dd838ef Author: Volker Lendecke <v...@samba.org> Date: Mon Apr 19 15:50:11 2010 +0200 libwbclient: Fix wbcListUsers against too small num_entries Thanks for the s4 winbind sending 0 here and Tridge to point it out to me :-) ----------------------------------------------------------------------- Summary of changes: nsswitch/libwbclient/wbc_sid.c | 38 +++++++++++++++++++++++--------------- 1 files changed, 23 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c index 2130077..73bd416 100644 --- a/nsswitch/libwbclient/wbc_sid.c +++ b/nsswitch/libwbclient/wbc_sid.c @@ -638,8 +638,17 @@ wbcErr wbcListUsers(const char *domain_name, next = (const char *)response.extra_data.data; while (next) { - const char *current = next; - char *k = strchr(next, ','); + const char *current; + char *k; + + if (num_users >= response.data.num_entries) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + goto done; + } + + current = next; + k = strchr(next, ','); + if (k) { k[0] = '\0'; next = k+1; @@ -650,10 +659,6 @@ wbcErr wbcListUsers(const char *domain_name, users[num_users] = strdup(current); BAIL_ON_PTR_ERROR(users[num_users], wbc_status); num_users += 1; - if (num_users > response.data.num_entries) { - wbc_status = WBC_ERR_INVALID_RESPONSE; - goto done; - } } if (num_users != response.data.num_entries) { wbc_status = WBC_ERR_INVALID_RESPONSE; @@ -667,9 +672,7 @@ wbcErr wbcListUsers(const char *domain_name, done: winbindd_free_response(&response); - if (users) { - wbcFreeMemory(users); - } + wbcFreeMemory(users); return wbc_status; } @@ -709,8 +712,17 @@ wbcErr wbcListGroups(const char *domain_name, next = (const char *)response.extra_data.data; while (next) { - const char *current = next; - char *k = strchr(next, ','); + const char *current; + char *k; + + if (num_groups >= response.data.num_entries) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + goto done; + } + + current = next; + k = strchr(next, ','); + if (k) { k[0] = '\0'; next = k+1; @@ -721,10 +733,6 @@ wbcErr wbcListGroups(const char *domain_name, groups[num_groups] = strdup(current); BAIL_ON_PTR_ERROR(groups[num_groups], wbc_status); num_groups += 1; - if (num_groups > response.data.num_entries) { - wbc_status = WBC_ERR_INVALID_RESPONSE; - goto done; - } } if (num_groups != response.data.num_entries) { wbc_status = WBC_ERR_INVALID_RESPONSE; -- Samba Shared Repository