summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-29 21:28:00 +0000
committerJeremy Allison <jra@samba.org>2003-10-29 21:28:00 +0000
commit231124ced9237cdbc3732a722c8f373ee760927b (patch)
tree29ef77ec225223bd9339ec3826a228c746ab140e
parentfdb2f57f62b776118156f266b8273f509ea60484 (diff)
downloadsamba-231124ced9237cdbc3732a722c8f373ee760927b.tar.gz
samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.bz2
samba-231124ced9237cdbc3732a722c8f373ee760927b.zip
Fixes to check for wraps which could cause coredumps.
Jeremy. (This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
-rw-r--r--source3/lib/smbldap.c1
-rw-r--r--source3/libsmb/clilist.c2
-rw-r--r--source3/libsmb/ntlmssp_parse.c7
-rw-r--r--source3/nmbd/nmbd_processlogon.c3
-rw-r--r--source3/printing/nt_printing.c19
-rw-r--r--source3/smbd/reply.c10
6 files changed, 28 insertions, 14 deletions
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 8f58e80dde..fe34cfb852 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -258,6 +258,7 @@ BOOL fetch_ldap_pw(char **dn, char** pw)
return False;
}
+ size = MIN(size, sizeof(fstring)-1);
strncpy(old_style_pw, data, size);
old_style_pw[size] = 0;
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 7822987ada..2c1831ae99 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli,
case 260: /* NT uses this, but also accepts 2 */
{
- int namelen, slen;
+ size_t namelen, slen;
p += 4; /* next entry offset */
p += 4; /* fileindex */
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index 60cb4ab04a..b136dacf5a 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
*ps = smb_xstrdup("");
} else {
/* make sure its in the right format - be strict */
- if (len1 != len2 || ptr + len1 > blob->length) {
+ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
if (len1 & 1) {
@@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if (len1 == 0 && len2 == 0) {
*ps = smb_xstrdup("");
} else {
- if (len1 != len2 || ptr + len1 > blob->length) {
+ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
@@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
*b = data_blob(NULL, 0);
} else {
/* make sure its in the right format - be strict */
- if (len1 != len2 || ptr + len1 > blob->length) {
+ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
*b = data_blob(blob->data + ptr, len1);
@@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
return True;
}
-
diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c
index 2a6a6b66d1..816b351464 100644
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -491,6 +491,8 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
/* Domain SID */
+#if 0
+ /* We must range check this. */
q += IVAL(q, 0) + 4; /* 4 byte length plus data */
q += 2; /* Alignment? */
@@ -500,6 +502,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q += 4; /* NT version (0x1) */
q += 2; /* LMNT token (0xff) */
q += 2; /* LM20 token (0xff) */
+#endif
SAFE_FREE(db_info); /* Not sure whether we need to do anything useful with these */
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 5b5b5885ab..908bd9c887 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
{
int i;
- char *buf;
+ char *buf = NULL;
ssize_t byte_count;
if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
@@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* The header may be a PE (Portable Executable) or an NE (New Executable) */
if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
- int num_sections;
- int section_table_bytes;
+ unsigned int num_sections;
+ unsigned int section_table_bytes;
if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
@@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* get the section table */
num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
+ if (section_table_bytes == 0)
+ goto error_exit;
+
SAFE_FREE(buf);
if ((buf=malloc(section_table_bytes)) == NULL) {
DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
@@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
- int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
- int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+ unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
+ unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+
+ if (section_bytes == 0)
+ goto error_exit;
SAFE_FREE(buf);
if ((buf=malloc(section_bytes)) == NULL) {
@@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
goto error_exit;
}
+ if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
+ goto error_exit;
+
for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 011186ba89..3752507493 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -669,10 +669,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
time_t date;
int dirtype;
int outsize = 0;
- int numentries = 0;
+ unsigned int numentries = 0;
+ unsigned int maxentries = 0;
BOOL finished = False;
- int maxentries;
- int i;
char *p;
BOOL ok = False;
int status_len;
@@ -786,6 +785,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
numentries = 0;
p += DIR_STRUCT_SIZE;
} else {
+ unsigned int i;
+ maxentries = MIN(maxentries, ((BUFFER_SIZE - (p - outbuf))/DIR_STRUCT_SIZE));
+
DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n",
conn->dirpath,lp_dontdescend(SNUM(conn))));
if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True))
@@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
if ((! *directory) && dptr_path(dptr_num))
slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
- DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n",
+ DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n",
smb_fn_name(CVAL(inbuf,smb_com)),
mask, directory, dirtype, numentries, maxentries ) );