Fix ubsan null pointer passed as argument 2

Fix ubsan warning null pointer passed as argument 2 when the source
pointer is NULL.  The calls to memcpy are now guarded by an
if (len > 0)

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon May 27 01:29:48 UTC 2019 on sn-devel-184

lib/crypto/aes_cmac_128.c

@@ -69,10 +69,12 @@ void aes_cmac_128_update(struct aes_cmac_128_context *ctx,
 	if (ctx->last_len < AES_BLOCK_SIZE) {
 		size_t len = MIN(AES_BLOCK_SIZE - ctx->last_len, msg_len);
 
-		memcpy(&ctx->last[ctx->last_len], msg, len);
-		msg += len;
-		msg_len -= len;
-		ctx->last_len += len;
+		if (len > 0) {
+			memcpy(&ctx->last[ctx->last_len], msg, len);
+			msg += len;
+			msg_len -= len;
+			ctx->last_len += len;
+		}
 	}
 
 	if (msg_len == 0) {

lib/dbwrap/dbwrap_rbt.c

@@ -213,7 +213,9 @@ static NTSTATUS db_rbt_storev(struct db_record *rec,
 	TALLOC_FREE(rec_priv->node);
 	rec_priv->node = node;
 
-	memcpy(this_val.dptr, data.dptr, node->valuesize);
+	if (node->valuesize > 0) {
+		memcpy(this_val.dptr, data.dptr, node->valuesize);
+	}
 
 	parent = NULL;
 	p = &db_ctx->tree.rb_node;

lib/util/asn1.c

@@ -94,8 +94,10 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
 		data->data = newp;
 		data->length = data->ofs+len;
 	}
-	memcpy(data->data + data->ofs, p, len);
-	data->ofs += len;
+	if (len > 0) {
+		memcpy(data->data + data->ofs, p, len);
+		data->ofs += len;
+	}
 	return true;
 }
 

lib/util/iov_buf.c

@@ -46,7 +46,7 @@ ssize_t iov_buf(const struct iovec *iov, int iovcnt,
 		}
 		needed = tmp;
 
-		if (needed <= buflen) {
+		if (needed <= buflen && thislen > 0) {
 			memcpy(p, iov[i].iov_base, thislen);
 			p += thislen;
 		}

source3/locking/brlock.c

@@ -1911,7 +1911,9 @@ static void byte_range_lock_flush(struct byte_range_lock *br_lck)
 		data.dptr = talloc_array(talloc_tos(), uint8_t, data_len);
 		SMB_ASSERT(data.dptr != NULL);
 
-		memcpy(data.dptr, br_lck->lock_data, lock_len);
+		if (lock_len > 0) {
+			memcpy(data.dptr, br_lck->lock_data, lock_len);
+		}
 		memcpy(data.dptr + lock_len, &br_lck->num_read_oplocks,
 		       sizeof(br_lck->num_read_oplocks));
 

source3/smbd/trans2.c

@@ -565,7 +565,11 @@ static unsigned int fill_ea_buffer(TALLOC_CTX *mem_ctx, char *pdata, unsigned in
 		SCVAL(p,1,dos_namelen);
 		SSVAL(p,2,ea_list->ea.value.length);
 		strlcpy(p+4, dos_ea_name, dos_namelen+1);
-		memcpy( p + 4 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length);
+		if (ea_list->ea.value.length > 0) {
+			memcpy(p + 4 + dos_namelen + 1,
+			       ea_list->ea.value.data,
+			       ea_list->ea.value.length);
+		}
 
 		total_data_size -= 4 + dos_namelen + 1 + ea_list->ea.value.length;
 		p += 4 + dos_namelen + 1 + ea_list->ea.value.length;

source4/libcli/raw/raweas.c

@@ -86,7 +86,11 @@ void ea_put_list(uint8_t *data, unsigned int num_eas, struct ea_struct *eas)
 		SCVAL(data, 1, nlen);
 		SSVAL(data, 2, eas[i].value.length);
 		memcpy(data+4, eas[i].name.s, nlen+1);
-		memcpy(data+4+nlen+1, eas[i].value.data, eas[i].value.length);
+		if (eas[i].value.length > 0) {
+			memcpy(data + 4 + nlen + 1,
+			       eas[i].value.data,
+			       eas[i].value.length);
+		}
 		data += 4+nlen+1+eas[i].value.length;
 	}
 }

source4/libcli/raw/rawfile.c

@@ -354,8 +354,14 @@ static struct smbcli_request *smb_raw_nttrans_create_send(struct smbcli_tree *tr
 
 	/* build the data section */
 	nt.in.data = data_blob_talloc(mem_ctx, NULL, sd_blob.length + ea_blob.length);
-	memcpy(nt.in.data.data, sd_blob.data, sd_blob.length);
-	memcpy(nt.in.data.data+sd_blob.length, ea_blob.data, ea_blob.length);
+	if (sd_blob.length > 0) {
+		memcpy(nt.in.data.data, sd_blob.data, sd_blob.length);
+	}
+	if (ea_blob.length > 0) {
+		memcpy(nt.in.data.data + sd_blob.length,
+		       ea_blob.data,
+		       ea_blob.length);
+	}
 
 	/* send the request on its way */
 	req = smb_raw_nttrans_send(tree, &nt);

source4/libcli/raw/rawrequest.c

@@ -533,9 +533,14 @@ size_t smbcli_req_append_ascii4(struct smbcli_request *req, const char *str, uns
 */
 size_t smbcli_req_append_blob(struct smbcli_request *req, const DATA_BLOB *blob)
 {
-	smbcli_req_grow_allocation(req, req->out.data_size + blob->length);
-	memcpy(req->out.data + req->out.data_size, blob->data, blob->length);
-	smbcli_req_grow_data(req, req->out.data_size + blob->length);
+	if (blob->length > 0) {
+		smbcli_req_grow_allocation(req,
+					   req->out.data_size + blob->length);
+		memcpy(req->out.data + req->out.data_size,
+		       blob->data,
+		       blob->length);
+		smbcli_req_grow_data(req, req->out.data_size + blob->length);
+	}
 	return blob->length;
 }
 
@@ -545,9 +550,11 @@ size_t smbcli_req_append_blob(struct smbcli_request *req, const DATA_BLOB *blob)
 */
 size_t smbcli_req_append_bytes(struct smbcli_request *req, const uint8_t *bytes, size_t byte_len)
 {
-	smbcli_req_grow_allocation(req, byte_len + req->out.data_size);
-	memcpy(req->out.data + req->out.data_size, bytes, byte_len);
-	smbcli_req_grow_data(req, byte_len + req->out.data_size);
+	if (byte_len > 0) {
+		smbcli_req_grow_allocation(req, byte_len + req->out.data_size);
+		memcpy(req->out.data + req->out.data_size, bytes, byte_len);
+		smbcli_req_grow_data(req, byte_len + req->out.data_size);
+	}
 	return byte_len;
 }
 

source4/libcli/raw/rawtrans.c

@@ -72,12 +72,16 @@ static struct smbcli_request *smb_raw_trans_backend_send(struct smbcli_tree *tre
 		SSVAL(req->out.vwv, VWV(s), parms->in.setup[s]);
 	}
 
-	memcpy(req->out.data,
-	       parms->in.params.data,
-	       parms->in.params.length);
-	memcpy(req->out.data + parms->in.params.length,
-	       parms->in.data.data,
-	       parms->in.data.length);
+	if (parms->in.params.length > 0) {
+		memcpy(req->out.data,
+		       parms->in.params.data,
+		       parms->in.params.length);
+	}
+	if (parms->in.data.length > 0) {
+		memcpy(req->out.data + parms->in.params.length,
+		       parms->in.data.data,
+		       parms->in.data.length);
+	}
 
 	if (command == SMBtrans && parms->in.trans_name) {
 		pipe_name = parms->in.trans_name;
@@ -296,16 +300,21 @@ struct smbcli_request *smb_raw_nttrans_send(struct smbcli_tree *tree,
 
 	timeout_msec = req->transport->options.request_timeout * 1000;
 
-	memcpy(req->out.vwv,
-	       parms->in.setup,
-	       parms->in.setup_count * 2);
+	if (parms->in.setup_count > 0) {
+		memcpy(
+		    req->out.vwv, parms->in.setup, parms->in.setup_count * 2);
+	}
 
-	memcpy(req->out.data,
-	       parms->in.params.data,
-	       parms->in.params.length);
-	memcpy(req->out.data + parms->in.params.length,
-	       parms->in.data.data,
-	       parms->in.data.length);
+	if (parms->in.params.length > 0) {
+		memcpy(req->out.data,
+		       parms->in.params.data,
+		       parms->in.params.length);
+	}
+	if (parms->in.data.length > 0) {
+		memcpy(req->out.data + parms->in.params.length,
+		       parms->in.data.data,
+		       parms->in.data.length);
+	}
 
 	req->subreqs[0] = smb1cli_trans_send(req,
 					     req->transport->ev,

source4/ntvfs/common/brlock_tdb.c

@@ -365,7 +365,9 @@ static NTSTATUS brl_tdb_lock(struct brl_context *brl,
 		status = NT_STATUS_NO_MEMORY;
 		goto fail;
 	}
-	memcpy(locks, dbuf.dptr, dbuf.dsize);
+	if (dbuf.dsize > 0) {
+		memcpy(locks, dbuf.dptr, dbuf.dsize);
+	}
 	locks[count] = lock;
 
 	dbuf.dptr = (unsigned char *)locks;

source4/smb_server/smb/nttrans.c

@@ -570,8 +570,11 @@ static void reply_nttrans_send(struct ntvfs_request *ntvfs)
 		SIVAL(this_req->out.vwv, 31, PTR_DIFF(data, trans->out.data.data));
 
 		SCVAL(this_req->out.vwv, 35, trans->out.setup_count);
-		memcpy((char *)(this_req->out.vwv) + VWV(18), trans->out.setup,
-		       sizeof(uint16_t) * trans->out.setup_count);
+		if (trans->out.setup_count > 0) {
+			memcpy((char *)(this_req->out.vwv) + VWV(18),
+			       trans->out.setup,
+			       sizeof(uint16_t) * trans->out.setup_count);
+		}
 		memset(this_req->out.data, 0, align1);
 		if (this_param != 0) {
 			memcpy(this_req->out.data + align1, params, this_param);