summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-12-27 20:45:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:16:44 -0500
commitb26a9ad9dfe2976ae1f6c31b270bdcd7818172c3 (patch)
tree1b19977cd21ac274437693b510c0abb04e4e3175
parentae7526fd55741ecbb0bd90d47a18578f0baafe87 (diff)
downloadsamba-b26a9ad9dfe2976ae1f6c31b270bdcd7818172c3.tar.gz
samba-b26a9ad9dfe2976ae1f6c31b270bdcd7818172c3.tar.bz2
samba-b26a9ad9dfe2976ae1f6c31b270bdcd7818172c3.zip
r20363: Fix any possible valgrind errors in srvstr_get_XX or srvstr_pull_XX
by ensuring we pass in a valid src_len (or zero when appropriate). Volker is correct in that this is a *horrible* interface and he is now free to generally clean it up everywhere :-). Go for it Volker ! Jeremy. (This used to be commit cd991fb839994dd29dc790b655f5597fa1e12843)
-rw-r--r--source3/smbd/nttrans.c4
-rw-r--r--source3/smbd/trans2.c45
2 files changed, 31 insertions, 18 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 377ddbeec3..68c5b46189 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1865,14 +1865,14 @@ static int call_nt_transact_rename(connection_struct *conn, char *inbuf, char *o
BOOL path_contains_wcard = False;
NTSTATUS status;
- if(parameter_count < 4) {
+ if(parameter_count < 5) {
return ERROR_DOS(ERRDOS,ERRbadfunc);
}
fsp = file_fsp(params, 0);
replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
CHECK_FSP(fsp, conn);
- srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), -1, STR_TERMINATE, &status, &path_contains_wcard);
+ srvstr_get_path_wcard(inbuf, new_name, params+4, sizeof(new_name), parameter_count - 4, STR_TERMINATE, &status, &path_contains_wcard);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 9b6a175a9a..1ebdf16b8a 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -790,7 +790,7 @@ static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, i
return(ERROR_DOS(ERRSRV,ERRaccess));
}
- srvstr_get_path(inbuf, fname, pname, sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, pname, sizeof(fname), total_params - 28, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -1665,7 +1665,7 @@ static int call_trans2findfirst(connection_struct *conn, char *inbuf, char *outb
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1709,7 +1709,7 @@ close_if_end = %d requires_resume_key = %d level = 0x%x, max_data_bytes = %d\n",
return ERROR_NT(NT_STATUS_INVALID_LEVEL);
}
- srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, directory, params+12, sizeof(directory), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
return ERROR_NT(ntstatus);
}
@@ -1941,7 +1941,7 @@ static int call_trans2findnext(connection_struct *conn, char *inbuf, char *outbu
struct ea_list *ea_list = NULL;
NTSTATUS ntstatus = NT_STATUS_OK;
- if (total_params < 12) {
+ if (total_params < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -1957,7 +1957,7 @@ static int call_trans2findnext(connection_struct *conn, char *inbuf, char *outbu
*mask = *directory = *resume_name = 0;
- srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
+ srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), total_params - 12, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
if (!NT_STATUS_IS_OK(ntstatus)) {
/* Win9x or OS/2 can send a resume name of ".." or ".". This will cause the parser to
complain (it thinks we're asking for the directory above the shared
@@ -2933,7 +2933,7 @@ static int call_trans2qfilepathinfo(connection_struct *conn, char *inbuf, char *
NTSTATUS status = NT_STATUS_OK;
/* qpathinfo */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -2941,7 +2941,7 @@ static int call_trans2qfilepathinfo(connection_struct *conn, char *inbuf, char *
DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level));
- srvstr_get_path(inbuf, fname, &params[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, &params[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -3843,12 +3843,12 @@ static int call_trans2setfilepathinfo(connection_struct *conn, char *inbuf, char
}
} else {
/* set path info */
- if (total_params < 6) {
+ if (total_params < 7) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
info_level = SVAL(params,0);
- srvstr_get_path(inbuf, fname, &params[6], sizeof(fname), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, fname, &params[6], sizeof(fname), total_params - 6, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4377,10 +4377,14 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n",
/* Set a symbolic link. */
/* Don't allow this if follow links is false. */
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
if (!lp_symlinks(SNUM(conn)))
return(ERROR_DOS(ERRDOS,ERRnoaccess));
- srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, link_target, pdata, sizeof(link_target), total_data, STR_TERMINATE);
/* !widelinks forces the target path to be within the share. */
/* This means we can interpret the target as a pathname. */
@@ -4423,7 +4427,11 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n",
char *newname = fname;
/* Set a hard link. */
- srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), -1, STR_TERMINATE, &status);
+ if (total_data == 0) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ srvstr_get_path(inbuf, oldname, pdata, sizeof(oldname), total_data, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4450,13 +4458,18 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n",
pstring base_name;
char *p;
- if (total_data < 12) {
+ if (total_data < 13) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
overwrite = (CVAL(pdata,0) ? True : False);
/* root_fid = IVAL(pdata,4); */
len = IVAL(pdata,8);
+
+ if (len > (total_data - 12) || (len == 0)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
srvstr_get_path(inbuf, newname, &pdata[12], sizeof(newname), len, 0, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
@@ -4799,11 +4812,11 @@ static int call_trans2mkdir(connection_struct *conn, char *inbuf, char *outbuf,
if (!CAN_WRITE(conn))
return ERROR_DOS(ERRSRV,ERRaccess);
- if (total_params < 4) {
+ if (total_params < 5) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- srvstr_get_path(inbuf, directory, &params[4], sizeof(directory), -1, STR_TERMINATE, &status);
+ srvstr_get_path(inbuf, directory, &params[4], sizeof(directory), total_params - 4, STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) {
return ERROR_NT(status);
}
@@ -4976,7 +4989,7 @@ static int call_trans2getdfsreferral(connection_struct *conn, char* inbuf, char*
DEBUG(10,("call_trans2getdfsreferral\n"));
- if (total_params < 2) {
+ if (total_params < 3) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
@@ -4985,7 +4998,7 @@ static int call_trans2getdfsreferral(connection_struct *conn, char* inbuf, char*
if(!lp_host_msdfs())
return ERROR_DOS(ERRDOS,ERRbadfunc);
- srvstr_pull(inbuf, pathname, &params[2], sizeof(pathname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, pathname, &params[2], sizeof(pathname), total_params - 2, STR_TERMINATE);
if((reply_size = setup_dfs_referral(conn, pathname,max_referral_level,ppdata)) < 0)
return UNIXERROR(ERRDOS,ERRbadfile);