sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-07-30 19:42:05 +03:00
Code Activity

fix the overflow/wrap checks in Samba4 for new gcc optimisation behavior

Browse Source 
The approach I have used is as set out in
https://www.securecoding.cert.org/confluence/display/seccode/ARR38-C.+Do+not+add+or+subtract+an+integer+to+a+pointer+if+the+resulting+value+does+not+refer+to+an+element+within+the+array
(This used to be commit 92d5fb531d)
This commit is contained in:
Andrew Tridgell
2008-04-17 15:20:39 +02:00
parent 107ab090e2
commit 11703b2986
4 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
source4/libcli/raw/rawrequest.c
View File

@ -700,10 +700,10 @@ DATA_BLOB smbcli_req_pull_blob(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_
static bool smbcli_req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t count)
{
/* be careful with wraparound! */
if (ptr < bufinfo->data ||
ptr >= bufinfo->data + bufinfo->data_size ||
if ((uintptr_t)ptr < (uintptr_t)bufinfo->data ||
(uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size ||
count > bufinfo->data_size ||
ptr + count > bufinfo->data + bufinfo->data_size) {
(uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) {
return true;
}
return false;

6
source4/libcli/raw/rawtrans.c
View File

@ -40,10 +40,10 @@ static bool raw_trans_oob(struct smbcli_request *req,
ptr = req->in.hdr + offset;
/* be careful with wraparound! */
if (ptr < req->in.data ||
ptr >= req->in.data + req->in.data_size ||
if ((uintptr_t)ptr < (uintptr_t)req->in.data ||
(uintptr_t)ptr >= (uintptr_t)req->in.data + req->in.data_size ||
count > req->in.data_size ||
ptr + count > req->in.data + req->in.data_size) {
(uintptr_t)ptr + count > (uintptr_t)req->in.data + req->in.data_size) {
return true;
}
return false;

8
source4/libcli/smb2/request.c
View File

@ -211,10 +211,10 @@ bool smb2_oob(struct smb2_request_buffer *buf, const uint8_t *ptr, size_t size)
return false;
}
/* be careful with wraparound! */
if (ptr < buf->body ||
ptr >= buf->body + buf->body_size ||
if ((uintptr_t)ptr < (uintptr_t)buf->body ||
(uintptr_t)ptr >= (uintptr_t)buf->body + buf->body_size ||
size > buf->body_size ||
ptr + size > buf->body + buf->body_size) {
(uintptr_t)ptr + size > (uintptr_t)buf->body + buf->body_size) {
return true;
}
return false;
@ -669,7 +669,7 @@ NTSTATUS smb2_push_o16s16_string(struct smb2_request_buffer *buf,
}
if (*str == 0) {
blob.data = str;
blob.data = discard_const(str);
blob.length = 0;
return smb2_push_o16s16_blob(buf, ofs, blob);
}

6
source4/smb_server/smb/request.c
View File

@ -651,10 +651,10 @@ bool req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t
}
/* be careful with wraparound! */
if (ptr < bufinfo->data ||
ptr >= bufinfo->data + bufinfo->data_size ||
if ((uintptr_t)ptr < (uintptr_t)bufinfo->data ||
(uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size ||
count > bufinfo->data_size ||
ptr + count > bufinfo->data + bufinfo->data_size) {
(uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) {
return true;
}
return false;