1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/libcli/smb
Stefan Metzmacher 91e12e04fc libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
Found by valgrind, reported by Noel Power <nopower@suse.com>:

==7913== Invalid read of size 1
==7913==    at 0xC4F23EE: smb2cli_ioctl_done (smb2cli_ioctl.c:245)
==7913==    by 0x747A744: _tevent_req_notify_callback (tevent_req.c:112)
==7913==    by 0x747A817: tevent_req_finish (tevent_req.c:149)
==7913==    by 0x747A93C: tevent_req_trigger (tevent_req.c:206)
==7913==    by 0x7479B2B: tevent_common_loop_immediate
(tevent_immediate.c:135)
==7913==    by 0xA9CB4BE: run_events_poll (events.c:192)
==7913==    by 0xA9CBB32: s3_event_loop_once (events.c:303)
==7913==    by 0x7478C72: _tevent_loop_once (tevent.c:533)
==7913==    by 0x747AACD: tevent_req_poll (tevent_req.c:256)
==7913==    by 0x505315D: tevent_req_poll_ntstatus (tevent_ntstatus.c:109)
==7913==    by 0xA7201F2: cli_tree_connect (cliconnect.c:2764)
==7913==    by 0x165FF7: cm_prepare_connection (winbindd_cm.c:1276)
==7913==  Address 0x16ce24ec is 764 bytes inside a block of size 813 alloc'd
==7913==    at 0x4C29110: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7913==    by 0x768A0C1: __talloc_with_prefix (talloc.c:668)
==7913==    by 0x768A27E: _talloc_pool (talloc.c:721)
==7913==    by 0x768A41E: _talloc_pooled_object (talloc.c:790)
==7913==    by 0x747A594: _tevent_req_create (tevent_req.c:66)
==7913==    by 0xCF6E2FA: read_packet_send (async_sock.c:414)
==7913==    by 0xCF6EB54: read_smb_send (read_smb.c:54)
==7913==    by 0xC4DA146: smbXcli_conn_receive_next (smbXcli_base.c:1027)
==7913==    by 0xC4DA02D: smbXcli_req_set_pending (smbXcli_base.c:978)
==7913==    by 0xC4DF776: smb2cli_req_compound_submit (smbXcli_base.c:3166)
==7913==    by 0xC4DFC1D: smb2cli_req_send (smbXcli_base.c:3268)
==7913==    by 0xC4F2210: smb2cli_ioctl_send (smb2cli_ioctl.c:149)
==7913==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11622

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00
..
read_smb.c libcli/smb: use tevent_req_received(req) in read_smb_recv() 2015-06-12 17:08:18 +02:00
read_smb.h libcli/smb: remove unused includes from read_smb.h 2011-10-25 00:24:07 +02:00
smb1cli_close.c libcli/smb: add smb1cli_close* 2014-01-07 08:37:39 +01:00
smb1cli_create.c libcli/smb: add smb1cli_ntcreatex* 2014-01-07 08:37:39 +01:00
smb1cli_echo.c libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL. 2014-09-23 04:23:05 +02:00
smb1cli_read.c libcli/smb: add smb1cli_readx* 2014-01-07 08:37:39 +01:00
smb1cli_trans.c libsmb: Streamline smb1cli_trans a bit 2015-06-26 19:32:19 +02:00
smb1cli_write.c libcli/smb: add smb1cli_writex* 2014-01-07 08:37:39 +01:00
smb2_constants.h libcli/smb: In CCM and GCM mode we can't reuse nonces 2015-05-29 19:50:25 +02:00
smb2_create_blob.c libcli/smb: fix unitialized padding in smb2_create_blob_push_one() (bug #9209) 2012-10-27 10:05:22 +02:00
smb2_create_blob.h s3: client - rename 'struct smb2_create_returns' to 'struct smb_create_returns' so we can use this in SMB1 create returns as well. 2014-05-09 23:10:07 +02:00
smb2_create_ctx.h s3:smbd: add SMB2 AAPL create context defines 2014-12-04 22:11:07 +01:00
smb2_lease.c Revert "libcli/smb: mask off SMB2_LEASE_FLAG_PARENT_LEASE_KEY_SET for version 1" 2014-11-27 16:45:05 +01:00
smb2_lease.h libcli/smb: Add smb2_lease_equal() which compares client_guids and keys. 2014-11-07 22:41:47 +01:00
smb2_negotiate_context.c libcli/smb: add smb2_negotiate_context.c 2014-10-07 22:47:04 +02:00
smb2_negotiate_context.h libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does. 2014-11-26 19:05:37 +01:00
smb2_signing.c libcli: Use iov_buflen in smb2_signing.c 2015-08-14 13:56:49 +02:00
smb2_signing.h libcli/smb: pass 'uint16_t cipher_id' to smb2_signing_[de|en]crypt_pdu() 2014-10-16 19:30:04 +02:00
smb2cli_close.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb2cli_create.c libcli: Make smb2cli_create return blobs 2014-06-30 22:28:14 +02:00
smb2cli_echo.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb2cli_flush.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb2cli_ioctl.c libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response 2015-12-01 00:38:23 +01:00
smb2cli_query_directory.c Rename SMB2_OP_FIND to SMB2_OP_QUERY_DIRECTORY so that it conforms with the MS document MS-SMB2. 2015-03-27 01:24:47 +01:00
smb2cli_query_info.c s3: smb2cli: query info return length check was reversed. 2014-10-02 04:42:26 +02:00
smb2cli_read.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb2cli_session.c libcli/smb: implement SMB 3.10 session setup 2014-10-07 22:47:04 +02:00
smb2cli_set_info.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb2cli_tcon.c libcli/smb: pass tcon flags to the server for SMB 3.10 2014-10-07 22:47:04 +02:00
smb2cli_write.c libcli/smb: pass max_dyn_len to smb2cli_req_send() 2013-08-15 09:07:06 +02:00
smb_common.h libsmb: Move "struct smb2_lease" to common 2013-04-30 14:13:41 +02:00
smb_constants.h Introduce setting "desired" for 'smb encrypt' and 'client/server signing' 2015-07-07 14:05:27 +02:00
smb_seal.c Fix Bug 9422 - large read requests cause server to issue malformed reply 2012-11-30 03:27:07 +01:00
smb_seal.h libcli/smb: Convert struct smb_trans_enc_state to talloc 2012-01-31 20:17:10 +01:00
smb_signing.c libcli/smb: add smb_signing_is_desired() 2014-04-16 07:50:05 +02:00
smb_signing.h libcli/smb: add smb_signing_is_desired() 2014-04-16 07:50:05 +02:00
smb_unix_ext.h smb_unix_ext.h: Protect against multiple inclusion. 2011-09-28 12:05:54 +02:00
smb_util.h libcli/smb: add smb_buffer_oob() helper 2011-10-26 15:33:30 +02:00
smbXcli_base.c libcli/smb: Use helper function for finding session 2015-11-18 04:04:15 +01:00
smbXcli_base.h lib: cli: Add accessor function smb2cli_tcon_flags() to get tcon flags. 2015-10-14 15:58:19 +02:00
tstream_smbXcli_np.c libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO 2015-07-03 02:00:28 +02:00
tstream_smbXcli_np.h libcli/smb: make TSTREAM_SMBXCLI_NP_MAX_BUF_SIZE public 2014-03-25 00:45:28 +01:00
util.c libcli/smb: add smb_buffer_oob() helper 2011-10-26 15:33:30 +02:00
wscript libcli: Use iov_buflen in smbXcli_iov_len 2015-02-24 17:52:09 +01:00