The branch, master has been updated via 5df1c11 Start to add truncate checks on all uses of strlcpy(). Reading lwn has it's uses :-). via 7629289 Based on code from Richard Sharpe <realrichardsha...@gmail.com>, ensure we don't crash on a NULL DACL. from ed43a5a s3: Fix a valgrind error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5df1c115391f2d673d3dd2dfb89146ce77639d41 Author: Jeremy Allison <j...@samba.org> Date: Wed Mar 28 16:49:30 2012 -0700 Start to add truncate checks on all uses of strlcpy(). Reading lwn has it's uses :-). Autobuild-User: Jeremy Allison <j...@samba.org> Autobuild-Date: Thu Mar 29 20:48:15 CEST 2012 on sn-devel-104 commit 762928945d8c18abbce1447fb0e731a4515ffb4c Author: Jeremy Allison <j...@samba.org> Date: Wed Mar 28 15:09:47 2012 -0700 Based on code from Richard Sharpe <realrichardsha...@gmail.com>, ensure we don't crash on a NULL DACL. ----------------------------------------------------------------------- Summary of changes: lib/socket/interfaces.c | 8 ++++++-- lib/util/fault.c | 30 +++++++++++++++--------------- lib/util/util_net.c | 21 ++++++++++++++------- source3/smbd/file_access.c | 5 ++++- source3/smbd/process.c | 4 +++- 5 files changed, 42 insertions(+), 26 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/socket/interfaces.c b/lib/socket/interfaces.c index 775956b..74c6423 100644 --- a/lib/socket/interfaces.c +++ b/lib/socket/interfaces.c @@ -212,8 +212,12 @@ static int _get_interfaces(TALLOC_CTX *mem_ctx, struct iface_struct **pifaces) continue; } - strlcpy(ifaces[total].name, ifptr->ifa_name, - sizeof(ifaces[total].name)); + if (strlcpy(ifaces[total].name, ifptr->ifa_name, + sizeof(ifaces[total].name)) >= + sizeof(ifaces[total].name)) { + /* Truncation ! Ignore. */ + continue; + } total++; } diff --git a/lib/util/fault.c b/lib/util/fault.c index d0b34e5..4f8e8db 100644 --- a/lib/util/fault.c +++ b/lib/util/fault.c @@ -116,8 +116,6 @@ _PUBLIC_ const char *panic_action = NULL; */ static void smb_panic_default(const char *why) { - int result; - #if defined(HAVE_PRCTL) && defined(PR_SET_PTRACER) /* * Make sure all children can attach a debugger. @@ -126,20 +124,22 @@ static void smb_panic_default(const char *why) #endif if (panic_action && *panic_action) { - char pidstr[20]; char cmdstring[200]; - strlcpy(cmdstring, panic_action, sizeof(cmdstring)); - snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid()); - all_string_sub(cmdstring, "%d", pidstr, sizeof(cmdstring)); - DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmdstring)); - result = system(cmdstring); - - if (result == -1) - DEBUG(0, ("smb_panic(): fork failed in panic action: %s\n", - strerror(errno))); - else - DEBUG(0, ("smb_panic(): action returned status %d\n", - WEXITSTATUS(result))); + if (strlcpy(cmdstring, panic_action, sizeof(cmdstring)) < sizeof(cmdstring)) { + int result; + char pidstr[20]; + snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid()); + all_string_sub(cmdstring, "%d", pidstr, sizeof(cmdstring)); + DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmdstring)); + result = system(cmdstring); + + if (result == -1) + DEBUG(0, ("smb_panic(): fork failed in panic action: %s\n", + strerror(errno))); + else + DEBUG(0, ("smb_panic(): action returned status %d\n", + WEXITSTATUS(result))); + } } DEBUG(0,("PANIC: %s\n", why)); diff --git a/lib/util/util_net.c b/lib/util/util_net.c index 637c52b..69e5324 100644 --- a/lib/util/util_net.c +++ b/lib/util/util_net.c @@ -107,9 +107,11 @@ static bool interpret_string_addr_pref(struct sockaddr_storage *pss, */ if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) { - strlcpy(addr, str, - MIN(PTR_DIFF(p,str)+1, - sizeof(addr))); + size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr)); + if (strlcpy(addr, str, len) >= len) { + /* Truncate. */ + return false; + } str = addr; } } @@ -332,9 +334,11 @@ bool is_ipaddress_v6(const char *str) */ if (p && (p > str) && (if_nametoindex(p+1) != 0)) { - strlcpy(addr, str, - MIN(PTR_DIFF(p,str)+1, - sizeof(addr))); + size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr)); + if (strlcpy(addr, str, len) >= len) { + /* Truncate. */ + return false; + } sp = addr; } ret = inet_pton(AF_INET6, sp, &dest6); @@ -723,7 +727,10 @@ static const char *get_socket_addr(int fd, char *addr_buf, size_t addr_len) * zero IPv6 address. No good choice here. */ - strlcpy(addr_buf, "0.0.0.0", addr_len); + if (strlcpy(addr_buf, "0.0.0.0", addr_len) >= addr_len) { + /* Truncate ! */ + return NULL; + } if (fd == -1) { return addr_buf; diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c index 9fff8e3..6ced6a6 100644 --- a/source3/smbd/file_access.c +++ b/source3/smbd/file_access.c @@ -155,7 +155,10 @@ bool directory_has_default_acl(connection_struct *conn, const char *fname) NTSTATUS status = SMB_VFS_GET_NT_ACL(conn, fname, SECINFO_DACL, &secdesc); - if (!NT_STATUS_IS_OK(status) || secdesc == NULL) { + if (!NT_STATUS_IS_OK(status) || + secdesc == NULL || + secdesc->dacl == NULL) { + TALLOC_FREE(secdesc); return false; } diff --git a/source3/smbd/process.c b/source3/smbd/process.c index ed19e7f..30dbc0c 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -3037,7 +3037,9 @@ static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn, return NT_STATUS_NO_MEMORY; } - client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)); + if (client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)) == NULL) { + return NT_STATUS_NO_MEMORY; + } addr = talloc_strdup(cconn, tmp_addr); if (addr == NULL) { return NT_STATUS_NO_MEMORY; -- Samba Shared Repository