The branch, v4-7-test has been updated
       via  e728f9f s4:kcc: Add a NULL check before qsort()
       via  84bac58 s3:smbget: Fix buffer truncation issues with gcc8
       via  e0a7415 s3:registry: Fix buffer truncation issues issues with gcc8
       via  ce0b090 samdb: Fix build error with gcc8
       via  bc6a072 s3-winbindd: remove unused fill_domain_username()
       via  6fa0630 s3-winbindd: use fill_domain_username_talloc() in winbind.
       via  7b6a1de s3:libnet: Fix format-truncation warning in samsync_ldif
       via  6aaf3a8 lib: Fix array size in audit_logging
       via  aab4aca s4:ntvfs: Fix string copy of share_name
       via  461bd25 lib:util: Fix parameter aliasing in tfork test
       via  99ab2e2 s3:passdb: Fix size of ascii_p16
       via  992faaa s3:lib: Use memcpy() in escape_ldap_string()
       via  7cf1573 s4:torture: Use strlcpy() in gen_name()
       via  c4a2cd3 s3-utils: fix format-truncation in smbpasswd
       via  911417a s4-torture: fix format-truncation warning in smb2 session 
tests.
       via  c146fd8 s3-printing: fix format-truncation in print_queue_update()
      from  454f425 heimdal: lib/krb5: do not fail set_config_files due to 
parse error

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -----------------------------------------------------------------
commit e728f9f4e0c4a2a196b87d02f33892cdd0e032c2
Author: Andreas Schneider <a...@samba.org>
Date:   Thu Jun 21 11:11:58 2018 +0200

    s4:kcc: Add a NULL check before qsort()
    
    ../source4/dsdb/kcc/kcc_topology.c: In function 
‘kcctpl_get_all_bridgehead_dcs.constprop’:
    ../source4/dsdb/kcc/kcc_topology.c:1330:3: error: argument 1 null where 
non-null expected [-Werror=nonnull]
       qsort(bridgeheads.data, bridgeheads.count,
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    
    Autobuild-User(v4-7-test): Karolin Seeger <ksee...@samba.org>
    Autobuild-Date(v4-7-test): Wed Jun 27 14:52:13 CEST 2018 on sn-devel-144

commit 84bac589f3d4f8ce7131d374963f275ea80af80b
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Jun 18 10:43:53 2018 +0200

    s3:smbget: Fix buffer truncation issues with gcc8
    
    ../source3/utils/smbget.c: In function ‘smb_download_file’:
    ../source3/utils/smbget.c:97:27: error: ‘b’ directive output may be 
truncated writing 1 byte into a region of size between 0 and 19 
[-Werror=format-truncation=]
       snprintf(buffer, l, "%jdb", (intmax_t)s);
                               ^
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 4a3164e0beea35c1f4ce44fbe43547f7104587d1)

commit e0a7415b48cf986ae8359e88dfd1eee51b7a2cb8
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Jun 18 10:34:27 2018 +0200

    s3:registry: Fix buffer truncation issues issues with gcc8
    
    ../source3/registry/reg_perfcount.c: In function ‘reg_perfcount_get_hkpd’:
    ../source3/registry/reg_perfcount.c:337:29: error: ‘snprintf’ output may be 
truncated before the last format character [-Werror=format-truncation=]
       snprintf(buf, buflen,"%d%s", key_part1, key_part2);
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 29f6842ee86b768f3677b38c5640655e312c398e)

commit ce0b0908b7753d6daf5162c9694f9c96bc8b563d
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Jun 18 10:24:06 2018 +0200

    samdb: Fix build error with gcc8
    
    ../source4/dsdb/samdb/ldb_modules/samldb.c: In function ‘samldb_add’:
    ../source4/dsdb/samdb/ldb_modules/samldb.c:424:6: error: ‘found’ may be 
used uninitialized in this function [-Werror=maybe-uninitialized]
       if (found) {
          ^
    ../source4/dsdb/samdb/ldb_modules/samldb.c:348:11: note: ‘found’ was 
declared here
      bool ok, found;
               ^~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 76828876faa3cd463023e323983df0be597c7361)

commit bc6a07241d30118589dd61d061a3a4498d0a6757
Author: Günther Deschner <g...@samba.org>
Date:   Tue May 8 11:19:42 2018 +0200

    s3-winbindd: remove unused fill_domain_username()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit b24d4eb7afad82afc3a9bab65e1d799edc4b5172)

commit 6fa063049a685970f962394aee034b4388e4be26
Author: Günther Deschner <g...@samba.org>
Date:   Tue May 8 11:18:56 2018 +0200

    s3-winbindd: use fill_domain_username_talloc() in winbind.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit 3c6481d75cea175d0a69988577163efb40e2316b)

commit 7b6a1de1bd0e401be14c64128be33c7c3eee208e
Author: Andreas Schneider <a...@samba.org>
Date:   Wed Jun 13 17:56:59 2018 +0200

    s3:libnet: Fix format-truncation warning in samsync_ldif
    
    error: ‘%s’ directive output may be truncated writing up to 255 bytes
    into a region of size 250 [-Werror=format-truncation=]
        snprintf(homedir, sizeof(homedir), "/home/%s", username);
                                                      ^~   ~~~~~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>

commit 6aaf3a88f4bdc0f8fe34779c24b7716fe641561e
Author: Andreas Schneider <a...@samba.org>
Date:   Wed May 16 13:59:55 2018 +0200

    lib: Fix array size in audit_logging
    
    ../lib/audit_logging/audit_logging.c: In function ‘json_add_timestamp’:
    ../lib/audit_logging/audit_logging.c:603:12: error: ‘%s’ directive
           output may be truncated writing up to 9 bytes into a region of size
           between 0 and 43 [-Werror=format-truncation=]
       "%s.%06ld%s",
                ^~
    ../lib/audit_logging/audit_logging.c:606:3:
       tz);
       ~~
    ../lib/audit_logging/audit_logging.c:600:2: note: ‘snprintf’ output
           between 8 and 70 bytes into a destination of size 50
      snprintf(
      ^~~~~~~~~
       timestamp,
       ~~~~~~~~~~
       sizeof(timestamp),
       ~~~~~~~~~~~~~~~~~~
       "%s.%06ld%s",
       ~~~~~~~~~~~~~
       buffer,
       ~~~~~~~
       tv.tv_usec,
       ~~~~~~~~~~~
       tz);
       ~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    
    (cherry picked from commit 8b7c8eb3907e2123acee67949e88c26072afc81a)

commit aab4aca2602ef734c8e1b1faa50085f56e64f748
Author: Andreas Schneider <a...@samba.org>
Date:   Tue May 15 17:55:22 2018 +0200

    s4:ntvfs: Fix string copy of share_name
    
    ../source4/ntvfs/ipc/rap_server.c:70:3: error: ‘strncpy’ specified bound 13 
equals destination size [-Werror=stringop-truncation]
       strncpy((char *)r->out.info[j].info1.share_name,
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        snames[i],
        ~~~~~~~~~~
        sizeof(r->out.info[0].info1.share_name));
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 609ef35c12900bbd5ecaa557f7b5d71b5784a103)

commit 461bd254c503c46b9c93dfdac292baffdc91f934
Author: Andreas Schneider <a...@samba.org>
Date:   Wed May 9 17:52:19 2018 +0200

    lib:util: Fix parameter aliasing in tfork test
    
    ../lib/util/tests/tfork.c:483:24: error: passing argument 1 to
        restrict-qualified parameter aliases with argument 4 [-Werror=restrict]
       ret = pthread_create(&threads[i],
                            ^~~~~~~~~~~
    ../lib/util/tests/tfork.c:486:10:
              (void *)&threads[i]);
              ~~~~~~~~~~~~~~~~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 6f06a0154f5769cb85f6e189eecd78cd7805090a)

commit 99ab2e29bf2d3ddb88bd1ed1d8a04ed4da288f8b
Author: Andreas Schneider <a...@samba.org>
Date:   Wed May 9 18:05:01 2018 +0200

    s3:passdb: Fix size of ascii_p16
    
    ../source3/passdb/pdb_smbpasswd.c: In function ‘mod_smbfilepwd_entry’:
    ../source3/passdb/pdb_smbpasswd.c:1015:7: error: ‘:LCT-’ directive
        output may be truncated writing 5 bytes into a region of size between 0
        and 255 [-Werror=format-truncat ion=]
        "%s:LCT-%08X:",
           ^~~~~
    ../source3/passdb/pdb_smbpasswd.c:1015:4: note: using the range [0,
        4294967295] for directive argument
        "%s:LCT-%08X:",
        ^~~~~~~~~~~~~~
    In file included from ../source3/include/includes.h:23,
                     from ../source3/passdb/pdb_smbpasswd.c:23:
    ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output
        between 15 and 270 bytes into a destination of size 255
     #define slprintf snprintf
    ../source3/passdb/pdb_smbpasswd.c:1013:3: note: in expansion of macro 
‘slprintf’
       slprintf(&ascii_p16[strlen(ascii_p16)],
       ^~~~~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 728297ca889b39ce2006778bf6a5bf1c3ce82d6d)

commit 992faaaffe6ed495cb88da5fe9669f82dbc59357
Author: Andreas Schneider <a...@samba.org>
Date:   Wed May 9 17:29:39 2018 +0200

    s3:lib: Use memcpy() in escape_ldap_string()
    
    ../source3/lib/ldap_escape.c: In function ‘escape_ldap_string’:
    ../source3/lib/ldap_escape.c:79:4: error: ‘strncpy’ output truncated
        before terminating nul copying 3 bytes from a string of the same length
    [-Werror=stringop-truncation]
        strncpy (p, sub, 3);
        ^~~~~~~~~~~~~~~~~~~
    
    We concatenat and do not care about NUL-termination till the loop has
    finished.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit ff7568daaeb19ff30f47f7f600ead247eaf4e826)

commit 7cf1573dec15fa806cf3b5265a86f74d8a1d77cc
Author: Andreas Schneider <a...@samba.org>
Date:   Wed May 9 17:35:45 2018 +0200

    s4:torture: Use strlcpy() in gen_name()
    
    ../source4/torture/basic/mangle_test.c: In function ‘gen_name’:
    ../source4/torture/basic/mangle_test.c:148:3: error: ‘strncpy’ output
        truncated before terminating nul copying 5 bytes from a string of the
        same length [-Werror=stringop-truncation]
       strncpy(p, "ABCDE", 5);
       ^~~~~~~~~~~~~~~~~~~~~~
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 7a00d90d668f53914ffe035c41a5e79e60b51521)

commit c4a2cd3ec3bb69959fdd8ee1cc6bf8e92032206a
Author: Günther Deschner <g...@samba.org>
Date:   Tue May 8 14:13:56 2018 +0200

    s3-utils: fix format-truncation in smbpasswd
    
    ../source3/utils/smbpasswd.c: In function ‘process_root’:
    ../source3/utils/smbpasswd.c:414:37: error: ‘$’ directive output may be 
truncated writing 1 byte into a region of size between 0 and 255 
[-Werror=format-truncation=]
       slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
                                         ^
    In file included from ../source3/include/includes.h:23,
                     from ../source3/utils/smbpasswd.c:19:
    ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 
2 and 257 bytes into a destination of size 255
     #define slprintf snprintf
    ../source3/utils/smbpasswd.c:414:3: note: in expansion of macro ‘slprintf’
       slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
       ^~~~~~~~
    ../source3/utils/smbpasswd.c:397:35: error: ‘$’ directive output may be 
truncated writing 1 byte into a region of size between 0 and 255 
[-Werror=format-truncation=]
       slprintf(buf, sizeof(buf)-1, "%s$", user_name);
                                       ^
    In file included from ../source3/include/includes.h:23,
                     from ../source3/utils/smbpasswd.c:19:
    ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 
2 and 257 bytes into a destination of size 255
     #define slprintf snprintf
    ../source3/utils/smbpasswd.c:397:3: note: in expansion of macro ‘slprintf’
       slprintf(buf, sizeof(buf)-1, "%s$", user_name);
       ^~~~~~~~
    cc1: some warnings being treated as errors
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Pair-Programmed-With: Andreas Schneider <a...@samba.org>
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Signed-off-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit 9b6dc8f504c406ed8a044e5becca7e8f01da6c84)

commit 911417a5018c5c00695551ee83523efa72c6eb36
Author: Günther Deschner <g...@samba.org>
Date:   Tue May 8 13:54:53 2018 +0200

    s4-torture: fix format-truncation warning in smb2 session tests.
    
    ../source4/torture/smb2/session.c: In function ‘test_session_reauth5’:
    ../source4/torture/smb2/session.c:645:36: error: ‘\file.dat’ directive 
output may be truncated writing 9 bytes into a region of size between 1 and 256 
[-Werror=format-truncation=]
      snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
                                        ^~~~~~~~~~
    ../source4/torture/smb2/session.c:645:2: note: ‘snprintf’ output between 10 
and 265 bytes into a destination of size 256
      snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ../source4/torture/smb2/session.c:696:38: error: ‘\file2.dat’ directive 
output may be truncated writing 10 bytes into a region of size between 1 and 
256 [-Werror=format-truncation=]
      snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
                                          ^~~~~~~~~~~
    ../source4/torture/smb2/session.c:696:2: note: ‘snprintf’ output between 11 
and 266 bytes into a destination of size 256
      snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    cc1: some warnings being treated as errors
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit 5729898248041794ffdd0b769332e015baf12cce)

commit c146fd8433961dd3dc7bb194acaa7d2d4f25ef07
Author: Günther Deschner <g...@samba.org>
Date:   Tue May 8 13:46:11 2018 +0200

    s3-printing: fix format-truncation in print_queue_update()
    
    ../source3/printing/printing.c: In function ‘print_queue_update’:
    ../source3/printing/printing.c:1809:42: error: ‘%s’ directive output may be 
truncated writing up to 255 bytes into a region of size 244 
[-Werror=format-truncation=]
      snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename);
                                              ^~   ~~~~~~~~~
    ../source3/printing/printing.c:1809:2: note: ‘snprintf’ output between 13 
and 268 bytes into a destination of size 256
      snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename);
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit 6326b3415f3e225aafd5912d0965c80abcd7b22c)

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_log.c                         |  2 +-
 lib/util/tests/tfork.c                  |  7 ++---
 source3/lib/ldap_escape.c               |  2 +-
 source3/libnet/libnet_samsync_ldif.c    |  3 +-
 source3/passdb/pdb_smbpasswd.c          |  2 +-
 source3/printing/printing.c             |  2 +-
 source3/registry/reg_perfcount.c        | 12 ++++----
 source3/utils/smbget.c                  |  2 +-
 source3/utils/smbpasswd.c               | 49 +++++++++++++++++----------------
 source3/winbindd/wb_getpwsid.c          | 15 ++++++++--
 source3/winbindd/wb_query_user_list.c   |  9 ++++--
 source3/winbindd/winbindd_group.c       | 12 +++++---
 source3/winbindd/winbindd_list_groups.c | 14 +++++++---
 source3/winbindd/winbindd_pam.c         | 13 +++++++--
 source3/winbindd/winbindd_proto.h       |  1 -
 source3/winbindd/winbindd_util.c        | 20 --------------
 source4/dsdb/kcc/kcc_topology.c         |  5 ++++
 source4/dsdb/samdb/ldb_modules/samldb.c |  2 +-
 source4/ntvfs/ipc/rap_server.c          |  9 ++++--
 source4/torture/basic/mangle_test.c     |  2 +-
 source4/torture/smb2/session.c          |  2 +-
 21 files changed, 101 insertions(+), 84 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_log.c b/auth/auth_log.c
index d4c6c44..72d8f81 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -350,7 +350,7 @@ static void add_version(struct json_context *context, int 
major, int minor)
 static void add_timestamp(struct json_context *context)
 {
        char buffer[40];        /* formatted time less usec and timezone */
-       char timestamp[50];     /* the formatted ISO 8601 time stamp     */
+       char timestamp[65];     /* the formatted ISO 8601 time stamp     */
        char tz[10];            /* formatted time zone                   */
        struct tm* tm_info;     /* current local time                    */
        struct timeval tv;      /* current system time                   */
diff --git a/lib/util/tests/tfork.c b/lib/util/tests/tfork.c
index 9bcdc2f..3c73355 100644
--- a/lib/util/tests/tfork.c
+++ b/lib/util/tests/tfork.c
@@ -417,8 +417,7 @@ static void *tfork_thread(void *p)
        struct tfork *t = NULL;
        int status;
        pid_t child;
-       pthread_t *ptid = (pthread_t *)p;
-       uint64_t tid;
+       uint64_t tid = (uint64_t)pthread_self();
        uint64_t *result = NULL;
        int up[2];
        ssize_t nread;
@@ -429,8 +428,6 @@ static void *tfork_thread(void *p)
                pthread_exit(NULL);
        }
 
-       tid = (uint64_t)*ptid;
-
        t = tfork_create();
        if (t == NULL) {
                pthread_exit(NULL);
@@ -480,7 +477,7 @@ static bool test_tfork_threads(struct torture_context *tctx)
 #endif
 
        for (i = 0; i < num_threads; i++) {
-               ret = pthread_create(&threads[i], NULL, tfork_thread, 
&threads[i]);
+               ret = pthread_create(&threads[i], NULL, tfork_thread, NULL);
                torture_assert_goto(tctx, ret == 0, ok, done,
                                    "pthread_create failed\n");
        }
diff --git a/source3/lib/ldap_escape.c b/source3/lib/ldap_escape.c
index fa75dab..0d2b8f5 100644
--- a/source3/lib/ldap_escape.c
+++ b/source3/lib/ldap_escape.c
@@ -76,7 +76,7 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s)
                        output = tmp;
 
                        p = &output[i];
-                       strncpy (p, sub, 3);
+                       memcpy(p, sub, 3);
                        p += 3;
                        i += 3;
 
diff --git a/source3/libnet/libnet_samsync_ldif.c 
b/source3/libnet/libnet_samsync_ldif.c
index 1702316..e45a755 100644
--- a/source3/libnet/libnet_samsync_ldif.c
+++ b/source3/libnet/libnet_samsync_ldif.c
@@ -646,7 +646,8 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX 
*mem_ctx,
                                           const char *suffix,
                                           int alloced)
 {
-       fstring username, logonscript, homedrive, homepath = "", homedir = "";
+       fstring username, logonscript, homedrive, homepath = "";
+       char homedir[262] = {0};
        fstring hex_nt_passwd, hex_lm_passwd;
        fstring description, profilepath, fullname, sambaSID;
        char *flags, *user_rdn;
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index 9c38147..ec184ca 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -741,7 +741,7 @@ static bool mod_smbfilepwd_entry(struct smbpasswd_privates 
*smbpasswd_state, con
        char linebuf[LINEBUF_SIZE + 1];
        char readbuf[1024];
        int c;
-       fstring ascii_p16;
+       char ascii_p16[FSTRING_LEN + 20];
        fstring encode_bits;
        unsigned char *p = NULL;
        size_t linebuf_len = 0;
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index c6c42f3..ed5f489 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -1694,7 +1694,7 @@ extern pid_t background_lpq_updater_pid;
 static void print_queue_update(struct messaging_context *msg_ctx,
                               int snum, bool force)
 {
-       fstring key;
+       char key[268];
        fstring sharename;
        char *lpqcommand = NULL;
        char *lprmcommand = NULL;
diff --git a/source3/registry/reg_perfcount.c b/source3/registry/reg_perfcount.c
index a8f76ac..db4451e 100644
--- a/source3/registry/reg_perfcount.c
+++ b/source3/registry/reg_perfcount.c
@@ -166,13 +166,12 @@ static uint32_t 
_reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
                                               uint32_t buffer_size)
 {
        TDB_DATA kbuf, dbuf;
-       char temp[256];
+       char temp[PERFCOUNT_MAX_LEN] = {0};
        char *buf1 = *retbuf;
        uint32_t working_size = 0;
        DATA_BLOB name_index, name;
        bool ok;
 
-       memset(temp, 0, sizeof(temp));
        snprintf(temp, sizeof(temp), "%d", keyval);
        kbuf = string_tdb_data(temp);
        dbuf = tdb_fetch(tdb, kbuf);
@@ -709,13 +708,13 @@ static bool _reg_perfcount_get_instance_info(struct 
PERF_INSTANCE_DEFINITION *in
                                             TDB_CONTEXT *names)
 {
        TDB_DATA key, data;
-       char buf[PERFCOUNT_MAX_LEN], temp[PERFCOUNT_MAX_LEN];
+       char buf[PERFCOUNT_MAX_LEN] = {0};
+       char temp[32] = {0};
        smb_ucs2_t *name = NULL;
        int pad;
 
        /* First grab the instance data from the data file */
-       memset(temp, 0, PERFCOUNT_MAX_LEN);
-       snprintf(temp, PERFCOUNT_MAX_LEN, "i%d", instId);
+       snprintf(temp, sizeof(temp), "i%d", instId);
        _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, 
obj->ObjectNameTitleIndex, temp);
        if (!_reg_perfcount_get_counter_data(key, &data)) {
                DEBUG(3, ("_reg_perfcount_get_counter_data failed\n"));
@@ -739,8 +738,7 @@ static bool _reg_perfcount_get_instance_info(struct 
PERF_INSTANCE_DEFINITION *in
        SAFE_FREE(data.dptr);
 
        /* Fetch instance name */
-       memset(temp, 0, PERFCOUNT_MAX_LEN);
-       snprintf(temp, PERFCOUNT_MAX_LEN, "i%dname", instId);
+       snprintf(temp, sizeof(temp), "i%dname", instId);
        _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, 
obj->ObjectNameTitleIndex, temp);
        data = tdb_fetch(names, key);
        if(data.dptr == NULL)
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index d2d5e00..e1be429 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -288,7 +288,7 @@ static void print_progress(const char *name, time_t start, 
time_t now,
        double avg = 0.0;
        long eta = -1;
        double prcnt = 0.0;
-       char hpos[20], htotal[20], havg[20];
+       char hpos[22], htotal[22], havg[22];
        char *status, *filename;
        int len;
        if (now - start) {
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index fb7ad28..88847be 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -368,36 +368,44 @@ static int process_root(int local_flags)
 
        if (local_flags & LOCAL_TRUST_ACCOUNT) {
                /* add the $ automatically */
-               static fstring buf;
+               size_t user_name_len = strlen(user_name);
 
-               /*
-                * Remove any trailing '$' before we
-                * generate the initial machine password.
-                */
-
-               if (user_name[strlen(user_name)-1] == '$') {
-                       user_name[strlen(user_name)-1] = 0;
+               if (user_name[user_name_len - 1] == '$') {
+                       user_name_len--;
+               } else {
+                       if (user_name_len + 2 > sizeof(user_name)) {
+                               fprintf(stderr, "machine name too long\n");
+                               exit(1);
+                       }
+                       user_name[user_name_len] = '$';
+                       user_name[user_name_len + 1] = '\0';
                }
 
                if (local_flags & LOCAL_ADD_USER) {
                        SAFE_FREE(new_passwd);
-                       new_passwd = smb_xstrdup(user_name);
+
+                       /*
+                        * Remove any trailing '$' before we
+                        * generate the initial machine password.
+                        */
+                       new_passwd = smb_xstrndup(user_name, user_name_len);
                        if (!strlower_m(new_passwd)) {
                                fprintf(stderr, "strlower_m %s failed\n",
                                        new_passwd);
                                exit(1);
                        }
                }
-
-               /*
-                * Now ensure the username ends in '$' for
-                * the machine add.
-                */
-
-               slprintf(buf, sizeof(buf)-1, "%s$", user_name);
-               strlcpy(user_name, buf, sizeof(user_name));
        } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
-               static fstring buf;
+               size_t user_name_len = strlen(user_name);
+
+               if (user_name[user_name_len - 1] != '$') {
+                       if (user_name_len + 2 > sizeof(user_name)) {
+                               fprintf(stderr, "machine name too long\n");
+                               exit(1);
+                       }
+                       user_name[user_name_len] = '$';
+                       user_name[user_name_len + 1] = '\0';
+               }
 
                if ((local_flags & LOCAL_ADD_USER) && (new_passwd == NULL)) {
                        /*
@@ -409,11 +417,6 @@ static int process_root(int local_flags)
                                exit(1);
                        }
                }
-
-               /* prepare uppercased and '$' terminated username */
-               slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
-               strlcpy(user_name, buf, sizeof(user_name));
-
        } else {
 
                if (remote_machine != NULL) {
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
index 0e58355..0595034 100644
--- a/source3/winbindd/wb_getpwsid.c
+++ b/source3/winbindd/wb_getpwsid.c
@@ -63,7 +63,8 @@ static void wb_getpwsid_queryuser_done(struct tevent_req 
*subreq)
                req, struct wb_getpwsid_state);
        struct winbindd_pw *pw = state->pw;
        struct wbint_userinfo *info;
-       fstring acct_name, output_username;
+       fstring acct_name;
+       const char *output_username = NULL;
        char *mapped_name = NULL;
        char *tmp;
        NTSTATUS status;
@@ -95,16 +96,24 @@ static void wb_getpwsid_queryuser_done(struct tevent_req 
*subreq)
                                    acct_name,
                                    &mapped_name);
        if (NT_STATUS_IS_OK(status)) {
-               fill_domain_username(output_username,
+               output_username = fill_domain_username_talloc(state,
                                     info->domain_name,
                                     mapped_name, true);
+               if (output_username == NULL) {
+                       tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+                       return;
+               }
                fstrcpy(acct_name, mapped_name);
        } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
                fstrcpy(acct_name, mapped_name);
        } else {
-               fill_domain_username(output_username,
+               output_username = fill_domain_username_talloc(state,
                                     info->domain_name,
                                     acct_name, true);
+               if (output_username == NULL) {
+                       tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+                       return;
+               }
        }
 
        strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
diff --git a/source3/winbindd/wb_query_user_list.c 
b/source3/winbindd/wb_query_user_list.c
index 3c18080..6d69987 100644
--- a/source3/winbindd/wb_query_user_list.c
+++ b/source3/winbindd/wb_query_user_list.c
@@ -104,11 +104,14 @@ static void wb_query_user_list_done(struct tevent_req 
*subreq)
 
        for (i=0; i<state->names.num_principals; i++) {
                struct wbint_Principal *p = &state->names.principals[i];
-               fstring name;
+               const char *name;
                int ret;
 
-               fill_domain_username(name, state->domain_name, p->name, true);
-
+               name = fill_domain_username_talloc(state, state->domain_name, 
p->name, true);
+               if (name == NULL) {
+                       tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+                       return;
+               }
                ret = strv_add(state, &state->users, name);
                if (ret != 0) {
                        tevent_req_nterror(req, map_nt_error_from_unix(ret));
diff --git a/source3/winbindd/winbindd_group.c 
b/source3/winbindd/winbindd_group.c
index ec95bf4..098d2f6 100644
--- a/source3/winbindd/winbindd_group.c
+++ b/source3/winbindd/winbindd_group.c
@@ -33,7 +33,7 @@
 bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
                const char *dom_name, const char *gr_name, gid_t unix_gid)
 {
-       fstring full_group_name;
+       const char *full_group_name;
        char *mapped_name = NULL;
        NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 
@@ -42,19 +42,23 @@ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
 
        /* Basic whitespace replacement */
        if (NT_STATUS_IS_OK(nt_status)) {
-               fill_domain_username(full_group_name, dom_name,
+               full_group_name = fill_domain_username_talloc(mem_ctx, dom_name,
                                     mapped_name, true);
        }
        /* Mapped to an aliase */
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED)) {
-               fstrcpy(full_group_name, mapped_name);
+               full_group_name = mapped_name;
        }
        /* no change */
        else {
-               fill_domain_username( full_group_name, dom_name,
+               full_group_name = fill_domain_username_talloc(mem_ctx, dom_name,
                                      gr_name, True );
        }
 
+       if (full_group_name == NULL) {
+               return false;
+       }
+
        gr->gr_gid = unix_gid;
 
        /* Group name and password */
diff --git a/source3/winbindd/winbindd_list_groups.c 
b/source3/winbindd/winbindd_list_groups.c
index 3b5c9dd..03caef3 100644
--- a/source3/winbindd/winbindd_list_groups.c
+++ b/source3/winbindd/winbindd_list_groups.c
@@ -166,10 +166,13 @@ NTSTATUS winbindd_list_groups_recv(struct tevent_req *req,
                struct winbindd_list_groups_domstate *d = &state->domains[i];
 
                for (j=0; j<d->groups.num_principals; j++) {
-                       fstring name;
-                       fill_domain_username(name, d->domain->name,
+                       const char *name;
+                       name = fill_domain_username_talloc(response, 
d->domain->name,
                                             d->groups.principals[j].name,
                                             True);
+                       if (name == NULL) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
                        len += strlen(name)+1;
                }
                response->data.num_entries += d->groups.num_principals;
@@ -185,11 +188,14 @@ NTSTATUS winbindd_list_groups_recv(struct tevent_req *req,
                struct winbindd_list_groups_domstate *d = &state->domains[i];
 
                for (j=0; j<d->groups.num_principals; j++) {
-                       fstring name;
+                       const char *name;
                        size_t this_len;
-                       fill_domain_username(name, d->domain->name,
+                       name = fill_domain_username_talloc(response, 
d->domain->name,
                                             d->groups.principals[j].name,
                                             True);
+                       if (name == NULL) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
                        this_len = strlen(name);
                        memcpy(result+len, name, this_len);
                        len += this_len;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8abd8f0..7660793 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -159,7 +159,7 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
        /* We've been asked to return the unix username, per
           'winbind use default domain' settings and the like */
 
-       const char *nt_username, *nt_domain;
+       const char *nt_username, *nt_domain, *unix_username;
 
        nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
        if (!nt_domain) {
@@ -175,8 +175,15 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
                nt_username = name_user;
        }
 
-       fill_domain_username(resp->data.auth.unix_username,
-                            nt_domain, nt_username, true);
+       unix_username = fill_domain_username_talloc(mem_ctx,
+                                                   nt_domain,
+                                                   nt_username,
+                                                   true);
+       if (unix_username == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       fstrcpy(resp->data.auth.unix_username, unix_username);
 
        DEBUG(5, ("Setting unix username to [%s]\n",
                  resp->data.auth.unix_username));
diff --git a/source3/winbindd/winbindd_proto.h 
b/source3/winbindd/winbindd_proto.h
index 25fae5f..3ff9121 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -488,7 +488,6 @@ bool parse_domain_user(const char *domuser, fstring domain, 
fstring user);
 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
                              char **domain, char **user);
 bool canonicalize_username(fstring username_inout, fstring domain, fstring 
user);
-void fill_domain_username(fstring name, const char *domain, const char *user, 
bool can_assume);
 char *fill_domain_username_talloc(TALLOC_CTX *ctx,
                                  const char *domain,
                                  const char *user,
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2db8eaa..fbacf3e 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1190,26 +1190,6 @@ bool canonicalize_username(fstring username_inout, 
fstring domain, fstring user)
 
     We always canonicalize as UPPERCASE DOMAIN, lowercase username.
 */
-void fill_domain_username(fstring name, const char *domain, const char *user, 
bool can_assume)
-{
-       fstring tmp_user;
-
-       if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
-               can_assume = false;
-       }
-
-       fstrcpy(tmp_user, user);
-       (void)strlower_m(tmp_user);
-
-       if (can_assume && assume_domain(domain)) {
-               strlcpy(name, tmp_user, sizeof(fstring));
-       } else {
-               slprintf(name, sizeof(fstring) - 1, "%s%c%s",
-                        domain, *lp_winbind_separator(),
-                        tmp_user);
-       }
-}
-
 /**
  * talloc version of fill_domain_username()
  * return NULL on talloc failure.
diff --git a/source4/dsdb/kcc/kcc_topology.c b/source4/dsdb/kcc/kcc_topology.c
index 0e136ed..de69f0a 100644
--- a/source4/dsdb/kcc/kcc_topology.c
+++ b/source4/dsdb/kcc/kcc_topology.c
@@ -1327,6 +1327,11 @@ static NTSTATUS kcctpl_get_all_bridgehead_dcs(struct 
kccsrv_service *service,
        }
 
        if (site_opts & NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED) {
+               if (bridgeheads.data == NULL || bridgeheads.count == 0) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
                qsort(bridgeheads.data, bridgeheads.count,
                      sizeof(struct ldb_message), kcctpl_sort_bridgeheads);
        } else {
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c 
b/source4/dsdb/samdb/ldb_modules/samldb.c
index 11da629..734d0be 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -345,7 +345,7 @@ static int samldb_generate_next_linkid(struct samldb_ctx 
*ac,
 static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac)
 {
        int ret;
-       bool ok, found;
+       bool ok, found = false;
        struct ldb_message_element *el;
        const char *enc_str;
        const struct dsdb_attribute *attr;
diff --git a/source4/ntvfs/ipc/rap_server.c b/source4/ntvfs/ipc/rap_server.c
index 3a133f5..fc2d3aa 100644
--- a/source4/ntvfs/ipc/rap_server.c
+++ b/source4/ntvfs/ipc/rap_server.c
@@ -63,13 +63,18 @@ NTSTATUS rap_netshareenum(TALLOC_CTX *mem_ctx,
                                   union rap_share_info, r->out.available);
 
        for (i = 0, j = 0; i < r->out.available; i++) {
+               size_t sname_len;
+
                if (!NT_STATUS_IS_OK(share_get_config(mem_ctx, sctx, snames[i], 
&scfg))) {
                        DEBUG(3, ("WARNING: Service [%s] disappeared after 
enumeration!\n", snames[i]));
                        continue;
                }
-               strncpy((char *)r->out.info[j].info1.share_name,
+               /* Make sure we have NUL-termination */
+               sname_len = MIN(strlen(snames[i]),
+                               sizeof(r->out.info[j].info1.share_name));
+               strlcpy((char *)r->out.info[j].info1.share_name,
                        snames[i],
-                       sizeof(r->out.info[0].info1.share_name));


-- 
Samba Shared Repository

Reply via email to