The branch, master has been updated
via 0db0aff37cf s3:shadow_copy: CID 1449539 talloc_realloc and error
handling
from 5d1d3a8b568 s3:net: Pass down the server from cmdline to
sync_pw2keytabs()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0db0aff37cfe6c9aada202f58ce7cd8341b97479
Author: Shwetha K Acharya <[email protected]>
Date: Mon Sep 1 14:20:39 2025 +0530
s3:shadow_copy: CID 1449539 talloc_realloc and error handling
- Replace TALLOC_REALLOC with talloc_realloc inorder to handle
the integer overflow better.
- Rename tlabels as tmp_labels for clarity.
- Use shadow_copy_data->labels directly after successful
reallocation instead of relying on a temporary variable.
- Ensure that shadow_copy_data->num_volumes is set to 0 and
shadow_copy_data->labels is freed on error paths inorder to
address the potential resource leaks.
Fixes: CID_1449539
Signed-off-by: Shwetha K Acharya <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Reviewed-by: Anoop C S <[email protected]>
Autobuild-User(master): Anoop C S <[email protected]>
Autobuild-Date(master): Sat Sep 6 10:34:27 UTC 2025 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_shadow_copy.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_shadow_copy.c
b/source3/modules/vfs_shadow_copy.c
index c99d933a5d3..1796bd1573f 100644
--- a/source3/modules/vfs_shadow_copy.c
+++ b/source3/modules/vfs_shadow_copy.c
@@ -190,7 +190,7 @@ static int
shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
shadow_copy_data->labels = NULL;
while (True) {
- SHADOW_COPY_LABEL *tlabels;
+ SHADOW_COPY_LABEL *tmp_labels = NULL;
int ret;
dname = ReadDirName(dir_hnd, &talloced);
@@ -213,27 +213,32 @@ static int
shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
continue;
}
- tlabels = (SHADOW_COPY_LABEL *)TALLOC_REALLOC(shadow_copy_data,
-
shadow_copy_data->labels,
-
(shadow_copy_data->num_volumes+1)*sizeof(SHADOW_COPY_LABEL));
- if (tlabels == NULL) {
+ tmp_labels = talloc_realloc(shadow_copy_data,
shadow_copy_data->labels,
+ SHADOW_COPY_LABEL,
shadow_copy_data->num_volumes + 1);
+
+ if (tmp_labels == NULL) {
DEBUG(0,("shadow_copy_get_shadow_copy_data: Out of
memory\n"));
+ shadow_copy_data->num_volumes = 0;
+ TALLOC_FREE(shadow_copy_data->labels);
TALLOC_FREE(talloced);
TALLOC_FREE(dir_hnd);
return -1;
}
- ret = strlcpy(tlabels[shadow_copy_data->num_volumes], dname,
- sizeof(tlabels[shadow_copy_data->num_volumes]));
- if (ret != sizeof(tlabels[shadow_copy_data->num_volumes]) - 1) {
+ shadow_copy_data->labels = tmp_labels;
+
+ ret =
strlcpy(shadow_copy_data->labels[shadow_copy_data->num_volumes], dname,
+
sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]));
+ if (ret !=
sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]) - 1) {
DBG_ERR("malformed label %s\n", dname);
+ shadow_copy_data->num_volumes = 0;
+ TALLOC_FREE(shadow_copy_data->labels);
TALLOC_FREE(talloced);
TALLOC_FREE(dir_hnd);
return -1;
}
shadow_copy_data->num_volumes++;
- shadow_copy_data->labels = tlabels;
TALLOC_FREE(talloced);
}
--
Samba Shared Repository
