sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-05 12:22:11 +03:00
Code Activity

registry: Add error checks to regdb_unpack_values

Browse Source 
This makes "regdb_unpack_values" take a size_t as buflen. The only
caller calls it with TDB_DATA.dsize, which *is* size_t. Convert the
internal "len" variable to the unsigned size_t as well and add overflow
checks. This depends on tdb_unpack to either return -1 or a positive
value less than or equal to the passed-in "size_t" buflen;

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Volker Lendecke
2018-10-02 13:16:23 +02:00
committed by Jeremy Allison
parent 2a35cbb02f
commit a9ed0e93bb
1 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
source3/registry/reg_backend_db.c
View File

@ -1833,9 +1833,12 @@ static int regdb_fetch_keys(const char *key, struct regsubkey_ctr *ctr)
Unpack a list of registry values frem the TDB Unpack a list of registry values frem the TDB
***************************************************************************/ ***************************************************************************/
static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int buflen) static int regdb_unpack_values(struct regval_ctr *values,
uint8_t *buf,
size_t buflen)
{ {
int len = 0; int this_len;
size_t len = 0;
uint32_t type; uint32_t type;
fstring valuename; fstring valuename;
uint32_t size; uint32_t size;
@ -1845,7 +1848,13 @@ static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int bufl
/* loop and unpack the rest of the registry values */ /* loop and unpack the rest of the registry values */
len += tdb_unpack(buf+len, buflen-len, "d", &num_values); this_len = tdb_unpack(buf, buflen, "d", &num_values);
if (this_len == -1) {
DBG_WARNING("Invalid registry data, "
"tdb_unpack failed\n");
return -1;
}
len = this_len;
for ( i=0; i<num_values; i++ ) { for ( i=0; i<num_values; i++ ) {
/* unpack the next regval */ /* unpack the next regval */
@ -1854,11 +1863,22 @@ static int regdb_unpack_values(struct regval_ctr *values, uint8_t *buf, int bufl
size = 0; size = 0;
data_p = NULL; data_p = NULL;
valuename[0] = '\0'; valuename[0] = '\0';
len += tdb_unpack(buf+len, buflen-len, "fdB", this_len = tdb_unpack(buf+len, buflen-len, "fdB",
valuename, valuename,
&type, &type,
&size, &size,
&data_p); &data_p);
if (this_len == -1) {
DBG_WARNING("Invalid registry data, "
"tdb_unpack failed\n");
return -1;
}
len += this_len;
if (len < (size_t)this_len) {
DBG_WARNING("Invalid registry data, "
"integer overflow\n");
return -1;
}
regval_ctr_addvalue(values, valuename, type, regval_ctr_addvalue(values, valuename, type,
(uint8_t *)data_p, size); (uint8_t *)data_p, size);