1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list()

Strictly speaking, this is not a bug because parsing loop will just skip
an empty ({NULL}, 0) blob. But it's better to avoid this case because
UBSan (as of clang-17 at least) may complain on such a parsing attempt:

source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer
    #0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56
    #1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178
    #2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64
    #3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Dmitry Antipov 2023-05-02 13:45:01 +03:00 committed by Andrew Bartlett
parent 46ae5568fa
commit 9755206f6d

View File

@ -37,7 +37,6 @@ static NTSTATUS posix_eadb_add_list(struct tdb_wrap *ea_tdb, TALLOC_CTX *ctx, co
{ {
DATA_BLOB blob; DATA_BLOB blob;
TALLOC_CTX *mem_ctx; TALLOC_CTX *mem_ctx;
const char *s;
NTSTATUS status; NTSTATUS status;
size_t len; size_t len;
@ -49,15 +48,20 @@ static NTSTATUS posix_eadb_add_list(struct tdb_wrap *ea_tdb, TALLOC_CTX *ctx, co
status = pull_xattr_blob_tdb_raw(ea_tdb, mem_ctx, XATTR_LIST_ATTR, status = pull_xattr_blob_tdb_raw(ea_tdb, mem_ctx, XATTR_LIST_ATTR,
fname, fd, 100, &blob); fname, fd, 100, &blob);
if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_IS_OK(status)) {
blob = data_blob(NULL, 0); const char *s;
}
for (s=(const char *)blob.data; s < (const char *)(blob.data+blob.length); s += strlen(s) + 1) { for (s = (const char *)blob.data;
if (strcmp(attr_name, s) == 0) { s < (const char *)(blob.data + blob.length);
talloc_free(mem_ctx); s += strlen(s) + 1) {
return NT_STATUS_OK; if (strcmp(attr_name, s) == 0) {
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
} }
} else {
blob = data_blob(NULL, 0);
/* No need to parse an empty blob */
} }
len = strlen(attr_name) + 1; len = strlen(attr_name) + 1;