The branch, master has been updated via 94f11e9 s3-net: Fix rpc_service_list_internal() null pointer passing. via 9b0c1ab s3-rpcclient: Fix cmd_eventlog_loginfo() null pointer passing. via 30e1dc0 s3-rpcclient: Fix cmd_eventlog_readlog() null pointer passing. via ab14918 s3-idmap: Check return value of string_to_sid(). from 6cb7c4f docs: Fix typo in vfs_tsmsm.8.xml.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 94f11e9d168931018125a1552f22b786ba290dd0 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 21 16:03:51 2012 +0100 s3-net: Fix rpc_service_list_internal() null pointer passing. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Found by Coverity. Autobuild-User(master): Günther Deschner <g...@samba.org> Autobuild-Date(master): Wed Jan 2 14:19:50 CET 2013 on sn-devel-104 commit 9b0c1ab07c2c9a3fce1c49ad3d476ca1301182a4 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 21 15:58:49 2012 +0100 s3-rpcclient: Fix cmd_eventlog_loginfo() null pointer passing. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Found by Coverity. commit 30e1dc08df8d891e1ab6e17d786a7a239417947f Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 21 15:52:02 2012 +0100 s3-rpcclient: Fix cmd_eventlog_readlog() null pointer passing. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Found by Coverity. commit ab14918ea406eed2ed79c39dea7b855e4ecbac74 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 14 16:54:55 2012 +0100 s3-idmap: Check return value of string_to_sid(). Found by Coverity. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Reviewed-by: Christian Ambach <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/rpcclient/cmd_eventlog.c | 25 ++++++++++++++++--------- source3/utils/net_rpc_service.c | 15 +++++++++++++-- source3/winbindd/idmap_autorid.c | 7 ++++++- 3 files changed, 35 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c index a9d971e..949e025 100644 --- a/source3/rpcclient/cmd_eventlog.c +++ b/source3/rpcclient/cmd_eventlog.c @@ -69,7 +69,7 @@ static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, EVENTLOG_SEQUENTIAL_READ; uint32_t offset = 0; uint32_t number_of_bytes = 0; - uint8_t *data = NULL; + uint8_t *data; uint32_t sent_size = 0; uint32_t real_size = 0; @@ -84,10 +84,6 @@ static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, if (argc >= 4) { number_of_bytes = atoi(argv[3]); - data = talloc_array(mem_ctx, uint8_t, number_of_bytes); - if (!data) { - goto done; - } } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); @@ -95,6 +91,11 @@ static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, return status; } + data = talloc_array(mem_ctx, uint8_t, number_of_bytes); + if (data == NULL) { + goto done; + } + do { enum ndr_err_code ndr_err; @@ -118,8 +119,8 @@ static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) && real_size > 0 ) { number_of_bytes = real_size; - data = talloc_array(mem_ctx, uint8_t, real_size); - if (!data) { + data = talloc_realloc(mem_ctx, data, uint8_t, real_size); + if (data == NULL) { goto done; } status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, @@ -509,6 +510,12 @@ static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli, return status; } + buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); + if (buffer == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + status = dcerpc_eventlog_GetLogInformation(b, mem_ctx, &handle, 0, /* level */ @@ -525,8 +532,8 @@ static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli, } buf_size = bytes_needed; - buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); - if (!buffer) { + buffer = talloc_realloc(mem_ctx, buffer, uint8_t, bytes_needed); + if (buffer == NULL) { status = NT_STATUS_NO_MEMORY; goto done; } diff --git a/source3/utils/net_rpc_service.c b/source3/utils/net_rpc_service.c index 523eafd..0c0995a 100644 --- a/source3/utils/net_rpc_service.c +++ b/source3/utils/net_rpc_service.c @@ -289,7 +289,7 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c, int i; struct dcerpc_binding_handle *b = pipe_hnd->binding_handle; - uint8_t *buffer = NULL; + uint8_t *buffer; uint32_t buf_size = 0; uint32_t bytes_needed = 0; uint32_t num_services = 0; @@ -307,6 +307,12 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c, return werror_to_ntstatus(result); } + buffer = talloc_array(mem_ctx, uint8_t, buf_size); + if (buffer == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + do { status = dcerpc_svcctl_EnumServicesStatusW(b, mem_ctx, &hSCM, @@ -327,8 +333,12 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c, } if (W_ERROR_EQUAL(result, WERR_MORE_DATA) && bytes_needed > 0) { - buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); buf_size = bytes_needed; + buffer = talloc_realloc(mem_ctx, buffer, uint8_t, bytes_needed); + if (buffer == NULL) { + status = NT_STATUS_NO_MEMORY; + break; + } continue; } @@ -381,6 +391,7 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c, } while (W_ERROR_EQUAL(result, WERR_MORE_DATA)); +done: if (is_valid_policy_hnd(&hSCM)) { WERROR _result; dcerpc_svcctl_CloseServiceHandle(b, mem_ctx, &hSCM, &_result); diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c index 621cae9..b7b1689 100644 --- a/source3/winbindd/idmap_autorid.c +++ b/source3/winbindd/idmap_autorid.c @@ -248,6 +248,7 @@ static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg, char *keystr; struct dom_sid sid; NTSTATUS status; + bool ok; /* can this be one of our ids? */ if (map->xid.id < cfg->minvalue) { @@ -297,8 +298,12 @@ static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg, return idmap_autorid_map_id_to_sid(dom, map); } - string_to_sid(&sid, (const char *)data.dptr); + ok = string_to_sid(&sid, (const char *)data.dptr); TALLOC_FREE(data.dptr); + if (!ok) { + map->status = ID_UNKNOWN; + return NT_STATUS_OK; + } sid_compose(map->sid, &sid, (map->xid.id - cfg->minvalue - -- Samba Shared Repository