1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

registry: Add error checks to regdb_unpack_values

This makes "regdb_unpack_values" take a size_t as buflen. The only
caller calls it with TDB_DATA.dsize, which *is* size_t. Convert the
internal "len" variable to the unsigned size_t as well and add overflow
checks. This depends on tdb_unpack to either return -1 or a positive
value less than or equal to the passed-in "size_t" buflen;

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Volker Lendecke 2018-10-02 13:16:23 +02:00 committed by Jeremy Allison
parent 2a35cbb02f
commit a9ed0e93bb

View File

@ -1833,9 +1833,12 @@ static int regdb_fetch_keys(const char *key, struct regsubkey_ctr *ctr)
Unpack a list of registry values frem the TDB
***************************************************************************/
static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int buflen)
static int regdb_unpack_values(struct regval_ctr *values,
uint8_t *buf,
size_t buflen)
{
int len = 0;
int this_len;
size_t len = 0;
uint32_t type;
fstring valuename;
uint32_t size;
@ -1845,7 +1848,13 @@ static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int bufl
/* loop and unpack the rest of the registry values */
len += tdb_unpack(buf+len, buflen-len, "d", &num_values);
this_len = tdb_unpack(buf, buflen, "d", &num_values);
if (this_len == -1) {
DBG_WARNING("Invalid registry data, "
"tdb_unpack failed\n");
return -1;
}
len = this_len;
for ( i=0; i<num_values; i++ ) {
/* unpack the next regval */
@ -1854,11 +1863,22 @@ static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int bufl
size = 0;
data_p = NULL;
valuename[0] = '\0';
len += tdb_unpack(buf+len, buflen-len, "fdB",
valuename,
&type,
&size,
&data_p);
this_len = tdb_unpack(buf+len, buflen-len, "fdB",
valuename,
&type,
&size,
&data_p);
if (this_len == -1) {
DBG_WARNING("Invalid registry data, "
"tdb_unpack failed\n");
return -1;
}
len += this_len;
if (len < (size_t)this_len) {
DBG_WARNING("Invalid registry data, "
"integer overflow\n");
return -1;
}
regval_ctr_addvalue(values, valuename, type,
(uint8_t *)data_p, size);