diff options
author | Jeremy Allison <jra@samba.org> | 2003-10-29 21:28:00 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-10-29 21:28:00 +0000 |
commit | 231124ced9237cdbc3732a722c8f373ee760927b (patch) | |
tree | 29ef77ec225223bd9339ec3826a228c746ab140e /source3 | |
parent | fdb2f57f62b776118156f266b8273f509ea60484 (diff) | |
download | samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.gz samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.bz2 samba-231124ced9237cdbc3732a722c8f373ee760927b.zip |
Fixes to check for wraps which could cause coredumps.
Jeremy.
(This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/lib/smbldap.c | 1 | ||||
-rw-r--r-- | source3/libsmb/clilist.c | 2 | ||||
-rw-r--r-- | source3/libsmb/ntlmssp_parse.c | 7 | ||||
-rw-r--r-- | source3/nmbd/nmbd_processlogon.c | 3 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 19 | ||||
-rw-r--r-- | source3/smbd/reply.c | 10 |
6 files changed, 28 insertions, 14 deletions
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 8f58e80dde..fe34cfb852 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -258,6 +258,7 @@ BOOL fetch_ldap_pw(char **dn, char** pw) return False; } + size = MIN(size, sizeof(fstring)-1); strncpy(old_style_pw, data, size); old_style_pw[size] = 0; diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index 7822987ada..2c1831ae99 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli, case 260: /* NT uses this, but also accepts 2 */ { - int namelen, slen; + size_t namelen, slen; p += 4; /* next entry offset */ p += 4; /* fileindex */ diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c index 60cb4ab04a..b136dacf5a 100644 --- a/source3/libsmb/ntlmssp_parse.c +++ b/source3/libsmb/ntlmssp_parse.c @@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, *ps = smb_xstrdup(""); } else { /* make sure its in the right format - be strict */ - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } if (len1 & 1) { @@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if (len1 == 0 && len2 == 0) { *ps = smb_xstrdup(""); } else { - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } @@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, *b = data_blob(NULL, 0); } else { /* make sure its in the right format - be strict */ - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } *b = data_blob(blob->data + ptr, len1); @@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob, return True; } - diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c index 2a6a6b66d1..816b351464 100644 --- a/source3/nmbd/nmbd_processlogon.c +++ b/source3/nmbd/nmbd_processlogon.c @@ -491,6 +491,8 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", /* Domain SID */ +#if 0 + /* We must range check this. */ q += IVAL(q, 0) + 4; /* 4 byte length plus data */ q += 2; /* Alignment? */ @@ -500,6 +502,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q += 4; /* NT version (0x1) */ q += 2; /* LMNT token (0xff) */ q += 2; /* LM20 token (0xff) */ +#endif SAFE_FREE(db_info); /* Not sure whether we need to do anything useful with these */ diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 5b5b5885ab..908bd9c887 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi) static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor) { int i; - char *buf; + char *buf = NULL; ssize_t byte_count; if ((buf=malloc(PE_HEADER_SIZE)) == NULL) { @@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* The header may be a PE (Portable Executable) or an NE (New Executable) */ if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) { - int num_sections; - int section_table_bytes; + unsigned int num_sections; + unsigned int section_table_bytes; if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) { DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n", @@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* get the section table */ num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS); section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE; + if (section_table_bytes == 0) + goto error_exit; + SAFE_FREE(buf); if ((buf=malloc(section_table_bytes)) == NULL) { DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n", @@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE; if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) { - int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); - int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); + unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + + if (section_bytes == 0) + goto error_exit; SAFE_FREE(buf); if ((buf=malloc(section_bytes)) == NULL) { @@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 goto error_exit; } + if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE) + goto error_exit; + for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) { /* Scan for 1st 3 unicoded bytes followed by word aligned magic value */ if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') { diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 011186ba89..3752507493 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -669,10 +669,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size time_t date; int dirtype; int outsize = 0; - int numentries = 0; + unsigned int numentries = 0; + unsigned int maxentries = 0; BOOL finished = False; - int maxentries; - int i; char *p; BOOL ok = False; int status_len; @@ -786,6 +785,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size numentries = 0; p += DIR_STRUCT_SIZE; } else { + unsigned int i; + maxentries = MIN(maxentries, ((BUFFER_SIZE - (p - outbuf))/DIR_STRUCT_SIZE)); + DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n", conn->dirpath,lp_dontdescend(SNUM(conn)))); if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True)) @@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size if ((! *directory) && dptr_path(dptr_num)) slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); - DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n", + DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n", smb_fn_name(CVAL(inbuf,smb_com)), mask, directory, dirtype, numentries, maxentries ) ); |