sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-09 08:58:35 +03:00
Code

NMBD string parinoia and memcpy() parinoia fixes from HEAD.

Browse Source 
Andrew Bartlett
(This used to be commit fb29caddd987f94989f852584b912eeee45b50da)
This commit is contained in:
Andrew Bartlett 2003-03-18 11:56:56 +00:00
parent 972e492bed
commit 50e9b88dff
3 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source3/nmbd/nmbd_become_lmb.c
View File

@ -207,7 +207,7 @@ static void release_1d_name( struct subnet_record *subrec, char *workgroup_name,
if((namerec = find_name_on_subnet( subrec, &nmbname, FIND_SELF_NAME))!=NULL)
{
struct userdata_struct *userdata;
int size = sizeof(struct userdata_struct) + sizeof(BOOL);
size_t size = sizeof(struct userdata_struct) + sizeof(BOOL);
if((userdata = (struct userdata_struct *)malloc(size)) == NULL)
{
@ -518,7 +518,7 @@ workgroup %s on subnet %s. Couldn't register name %s.\n",
void become_local_master_browser(struct subnet_record *subrec, struct work_record *work)
{
struct userdata_struct *userdata;
int size = sizeof(struct userdata_struct) + sizeof(fstring) + 1;
size_t size = sizeof(struct userdata_struct) + sizeof(fstring) + 1;
/* Sanity check. */
if (!lp_local_master())
@ -563,7 +563,7 @@ in workgroup %s on subnet %s\n",
userdata->copy_fn = NULL;
userdata->free_fn = NULL;
userdata->userdata_len = strlen(work->work_group)+1;
fstrcpy(userdata->data, work->work_group);
overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1);
/* Register the special browser group name. */
register_name(subrec, MSBROWSE, 0x01, samba_nb_type|NB_GROUP,

4
source3/nmbd/nmbd_browsesync.c
View File

@ -288,7 +288,7 @@ static void find_domain_master_name_query_success(struct subnet_record *subrec,
struct work_record *work;
struct nmb_name nmbname;
struct userdata_struct *userdata;
int size = sizeof(struct userdata_struct) + sizeof(fstring)+1;
size_t size = sizeof(struct userdata_struct) + sizeof(fstring)+1;
if( !(work = find_workgroup_on_subnet(subrec, q_name->name)) )
{
@ -333,7 +333,7 @@ static void find_domain_master_name_query_success(struct subnet_record *subrec,
userdata->copy_fn = NULL;
userdata->free_fn = NULL;
userdata->userdata_len = strlen(work->work_group)+1;
fstrcpy(userdata->data, work->work_group);
overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1);
node_status( subrec, &nmbname, answer_ip,
domain_master_node_status_success,

15
source3/nmbd/nmbd_packets.c
View File

@ -1929,7 +1929,7 @@ BOOL listen_for_packets(BOOL run_election)
/****************************************************************************
Construct and send a netbios DGRAM.
**************************************************************************/
BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len,
BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
const char *srcname, int src_type,
const char *dstname, int dest_type,
struct in_addr dest_ip,struct in_addr src_ip,
@ -1979,11 +1979,16 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len,
SSVAL(ptr,smb_vwv15,1);
SSVAL(ptr,smb_vwv16,2);
p2 = smb_buf(ptr);
pstrcpy(p2,mailslot);
safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
p2 = skip_string(p2,1);
memcpy(p2,buf,len);
p2 += len;
if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
return False;
} else {
memcpy(p2,buf,len);
p2 += len;
}
dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */