mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:modules: Make nread a size_t and check for possible overflow
"Error: INTEGER_OVERFLOW (CWE-190): samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: tainted_data_return: Called function ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"", and a possible return value may be less than zero. samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: assign: Assigning: ""thistime"" = ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"". samba-4.20.0rc2/source3/modules/vfs_preopen.c:221: overflow: The expression ""nread"" is considered to have possibly overflowed. samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow: The expression ""talloc_get_size(namebuf) - nread"" is deemed overflowed because at least one of its arguments has overflowed. samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow_sink: ""talloc_get_size(namebuf) - nread"", which might have underflowed, is passed to ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"". [Note: The source code implementation of the function has been overridden by a builtin model.] 213| ssize_t thistime; 214| 215|-> thistime = read(sock_fd, namebuf + nread, 216| talloc_get_size(namebuf) - nread); 217| if (thistime <= 0) {" Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
parent
a541a7d716
commit
f3da16937a
@ -203,13 +203,11 @@ static bool preopen_helper_open_one(int sock_fd, char **pnamebuf,
|
||||
size_t to_read, void *filebuf)
|
||||
{
|
||||
char *namebuf = *pnamebuf;
|
||||
ssize_t nread;
|
||||
size_t nread = 0;
|
||||
ssize_t chunk;
|
||||
char c = 0;
|
||||
int fd;
|
||||
|
||||
nread = 0;
|
||||
|
||||
do {
|
||||
chunk = read(sock_fd, namebuf + nread,
|
||||
talloc_get_size(namebuf) - nread);
|
||||
@ -217,6 +215,9 @@ static bool preopen_helper_open_one(int sock_fd, char **pnamebuf,
|
||||
return false;
|
||||
}
|
||||
|
||||
if (nread + chunk < nread) {
|
||||
return false;
|
||||
}
|
||||
nread += chunk;
|
||||
|
||||
if (nread == talloc_get_size(namebuf)) {
|
||||
|
Loading…
Reference in New Issue
Block a user