1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Fixes to check for wraps which could cause coredumps.

Jeremy.
This commit is contained in:
Jeremy Allison 0001-01-01 00:00:00 +00:00
parent a38ab77b70
commit ad06edd1bb
6 changed files with 28 additions and 14 deletions

View File

@ -258,6 +258,7 @@ BOOL fetch_ldap_pw(char **dn, char** pw)
return False;
}
size = MIN(size, sizeof(fstring)-1);
strncpy(old_style_pw, data, size);
old_style_pw[size] = 0;

View File

@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli,
case 260: /* NT uses this, but also accepts 2 */
{
int namelen, slen;
size_t namelen, slen;
p += 4; /* next entry offset */
p += 4; /* fileindex */

View File

@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
*ps = smb_xstrdup("");
} else {
/* make sure its in the right format - be strict */
if (len1 != len2 || ptr + len1 > blob->length) {
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
if (len1 & 1) {
@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if (len1 == 0 && len2 == 0) {
*ps = smb_xstrdup("");
} else {
if (len1 != len2 || ptr + len1 > blob->length) {
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
*b = data_blob(NULL, 0);
} else {
/* make sure its in the right format - be strict */
if (len1 != len2 || ptr + len1 > blob->length) {
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
*b = data_blob(blob->data + ptr, len1);
@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
return True;
}

View File

@ -491,6 +491,8 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
/* Domain SID */
#if 0
/* We must range check this. */
q += IVAL(q, 0) + 4; /* 4 byte length plus data */
q += 2; /* Alignment? */
@ -500,6 +502,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q += 4; /* NT version (0x1) */
q += 2; /* LMNT token (0xff) */
q += 2; /* LM20 token (0xff) */
#endif
SAFE_FREE(db_info); /* Not sure whether we need to do anything useful with these */

View File

@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
{
int i;
char *buf;
char *buf = NULL;
ssize_t byte_count;
if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* The header may be a PE (Portable Executable) or an NE (New Executable) */
if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
int num_sections;
int section_table_bytes;
unsigned int num_sections;
unsigned int section_table_bytes;
if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* get the section table */
num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
if (section_table_bytes == 0)
goto error_exit;
SAFE_FREE(buf);
if ((buf=malloc(section_table_bytes)) == NULL) {
DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
if (section_bytes == 0)
goto error_exit;
SAFE_FREE(buf);
if ((buf=malloc(section_bytes)) == NULL) {
@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
goto error_exit;
}
if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
goto error_exit;
for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {

View File

@ -669,10 +669,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
time_t date;
int dirtype;
int outsize = 0;
int numentries = 0;
unsigned int numentries = 0;
unsigned int maxentries = 0;
BOOL finished = False;
int maxentries;
int i;
char *p;
BOOL ok = False;
int status_len;
@ -786,6 +785,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
numentries = 0;
p += DIR_STRUCT_SIZE;
} else {
unsigned int i;
maxentries = MIN(maxentries, ((BUFFER_SIZE - (p - outbuf))/DIR_STRUCT_SIZE));
DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n",
conn->dirpath,lp_dontdescend(SNUM(conn))));
if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True))
@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
if ((! *directory) && dptr_path(dptr_num))
slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n",
DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n",
smb_fn_name(CVAL(inbuf,smb_com)),
mask, directory, dirtype, numentries, maxentries ) );