The branch, master has been updated
via 5df1c11 Start to add truncate checks on all uses of strlcpy().
Reading lwn has it's uses :-).
via 7629289 Based on code from Richard Sharpe
<realrichardsha...@gmail.com>, ensure we don't crash on a NULL DACL.
from ed43a5a s3: Fix a valgrind error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5df1c115391f2d673d3dd2dfb89146ce77639d41
Author: Jeremy Allison <j...@samba.org>
Date: Wed Mar 28 16:49:30 2012 -0700
Start to add truncate checks on all uses of strlcpy(). Reading lwn
has it's uses :-).
Autobuild-User: Jeremy Allison <j...@samba.org>
Autobuild-Date: Thu Mar 29 20:48:15 CEST 2012 on sn-devel-104
commit 762928945d8c18abbce1447fb0e731a4515ffb4c
Author: Jeremy Allison <j...@samba.org>
Date: Wed Mar 28 15:09:47 2012 -0700
Based on code from Richard Sharpe <realrichardsha...@gmail.com>,
ensure we don't crash on a NULL DACL.
-----------------------------------------------------------------------
Summary of changes:
lib/socket/interfaces.c | 8 ++++++--
lib/util/fault.c | 30 +++++++++++++++---------------
lib/util/util_net.c | 21 ++++++++++++++-------
source3/smbd/file_access.c | 5 ++++-
source3/smbd/process.c | 4 +++-
5 files changed, 42 insertions(+), 26 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/socket/interfaces.c b/lib/socket/interfaces.c
index 775956b..74c6423 100644
--- a/lib/socket/interfaces.c
+++ b/lib/socket/interfaces.c
@@ -212,8 +212,12 @@ static int _get_interfaces(TALLOC_CTX *mem_ctx, struct
iface_struct **pifaces)
continue;
}
- strlcpy(ifaces[total].name, ifptr->ifa_name,
- sizeof(ifaces[total].name));
+ if (strlcpy(ifaces[total].name, ifptr->ifa_name,
+ sizeof(ifaces[total].name)) >=
+ sizeof(ifaces[total].name)) {
+ /* Truncation ! Ignore. */
+ continue;
+ }
total++;
}
diff --git a/lib/util/fault.c b/lib/util/fault.c
index d0b34e5..4f8e8db 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -116,8 +116,6 @@ _PUBLIC_ const char *panic_action = NULL;
*/
static void smb_panic_default(const char *why)
{
- int result;
-
#if defined(HAVE_PRCTL) && defined(PR_SET_PTRACER)
/*
* Make sure all children can attach a debugger.
@@ -126,20 +124,22 @@ static void smb_panic_default(const char *why)
#endif
if (panic_action && *panic_action) {
- char pidstr[20];
char cmdstring[200];
- strlcpy(cmdstring, panic_action, sizeof(cmdstring));
- snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid());
- all_string_sub(cmdstring, "%d", pidstr, sizeof(cmdstring));
- DEBUG(0, ("smb_panic(): calling panic action [%s]\n",
cmdstring));
- result = system(cmdstring);
-
- if (result == -1)
- DEBUG(0, ("smb_panic(): fork failed in panic action:
%s\n",
- strerror(errno)));
- else
- DEBUG(0, ("smb_panic(): action returned status %d\n",
- WEXITSTATUS(result)));
+ if (strlcpy(cmdstring, panic_action, sizeof(cmdstring)) <
sizeof(cmdstring)) {
+ int result;
+ char pidstr[20];
+ snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid());
+ all_string_sub(cmdstring, "%d", pidstr,
sizeof(cmdstring));
+ DEBUG(0, ("smb_panic(): calling panic action [%s]\n",
cmdstring));
+ result = system(cmdstring);
+
+ if (result == -1)
+ DEBUG(0, ("smb_panic(): fork failed in panic
action: %s\n",
+ strerror(errno)));
+ else
+ DEBUG(0, ("smb_panic(): action returned status
%d\n",
+ WEXITSTATUS(result)));
+ }
}
DEBUG(0,("PANIC: %s\n", why));
diff --git a/lib/util/util_net.c b/lib/util/util_net.c
index 637c52b..69e5324 100644
--- a/lib/util/util_net.c
+++ b/lib/util/util_net.c
@@ -107,9 +107,11 @@ static bool interpret_string_addr_pref(struct
sockaddr_storage *pss,
*/
if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) {
- strlcpy(addr, str,
- MIN(PTR_DIFF(p,str)+1,
- sizeof(addr)));
+ size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr));
+ if (strlcpy(addr, str, len) >= len) {
+ /* Truncate. */
+ return false;
+ }
str = addr;
}
}
@@ -332,9 +334,11 @@ bool is_ipaddress_v6(const char *str)
*/
if (p && (p > str) && (if_nametoindex(p+1) != 0)) {
- strlcpy(addr, str,
- MIN(PTR_DIFF(p,str)+1,
- sizeof(addr)));
+ size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr));
+ if (strlcpy(addr, str, len) >= len) {
+ /* Truncate. */
+ return false;
+ }
sp = addr;
}
ret = inet_pton(AF_INET6, sp, &dest6);
@@ -723,7 +727,10 @@ static const char *get_socket_addr(int fd, char *addr_buf,
size_t addr_len)
* zero IPv6 address. No good choice here.
*/
- strlcpy(addr_buf, "0.0.0.0", addr_len);
+ if (strlcpy(addr_buf, "0.0.0.0", addr_len) >= addr_len) {
+ /* Truncate ! */
+ return NULL;
+ }
if (fd == -1) {
return addr_buf;
diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 9fff8e3..6ced6a6 100644
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -155,7 +155,10 @@ bool directory_has_default_acl(connection_struct *conn,
const char *fname)
NTSTATUS status = SMB_VFS_GET_NT_ACL(conn, fname,
SECINFO_DACL, &secdesc);
- if (!NT_STATUS_IS_OK(status) || secdesc == NULL) {
+ if (!NT_STATUS_IS_OK(status) ||
+ secdesc == NULL ||
+ secdesc->dacl == NULL) {
+ TALLOC_FREE(secdesc);
return false;
}
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ed19e7f..30dbc0c 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -3037,7 +3037,9 @@ static NTSTATUS smbd_register_ips(struct
smbd_server_connection *sconn,
return NT_STATUS_NO_MEMORY;
}
- client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
+ if (client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)) ==
NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
addr = talloc_strdup(cconn, tmp_addr);
if (addr == NULL) {
return NT_STATUS_NO_MEMORY;
--
Samba Shared Repository
