diff options
| author | Simo Sorce <idra@samba.org> | 2001-08-12 17:30:01 +0000 |
|---|---|---|
| committer | Simo Sorce <idra@samba.org> | 2001-08-12 17:30:01 +0000 |
| commit | 2e783a47076bd0994b6ce86df7ec967bc1c2da63 (patch) | |
| tree | c6504d6e8396eef290fe499abb8586b758f1f3d4 /source3 | |
| parent | ddec8306586414cc02eca612777bb547cb8dbcae (diff) | |
| download | samba-2e783a47076bd0994b6ce86df7ec967bc1c2da63.tar.gz samba-2e783a47076bd0994b6ce86df7ec967bc1c2da63.tar.bz2 samba-2e783a47076bd0994b6ce86df7ec967bc1c2da63.zip | |
this is a big global fix for the ptr = Realloc(ptr, size) bug.
many possible mem leaks, and segfaults fixed.
someone should port this fix to 2.2 also.
(This used to be commit fa8e55b8b465114ce209344965c1ca0333b84db9)
Diffstat (limited to 'source3')
30 files changed, 363 insertions, 136 deletions
diff --git a/source3/aparser/parser.c b/source3/aparser/parser.c index c2348b84f9..0c7153e1fb 100644 --- a/source3/aparser/parser.c +++ b/source3/aparser/parser.c @@ -460,8 +460,12 @@ realloc some memory for a parse structure ********************************************************************/ BOOL io_realloc(char *name, io_struct *ps, void **ptr, unsigned size) { - (*ptr) = (void *)Realloc(*ptr, size); - if (*ptr) return True; - return False; + BOOL ret = True; + void *tp; + + tp = (void *)Realloc(*ptr, size); + if (tp) *ptr = tp; + else ret = False; + return ret; } diff --git a/source3/client/client.c b/source3/client/client.c index 32cc34b225..f3cc28cc60 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -415,20 +415,22 @@ static void adjust_do_list_queue(void) static void add_to_do_list_queue(const char* entry) { + char *dlq; long new_end = do_list_queue_end + ((long)strlen(entry)) + 1; while (new_end > do_list_queue_size) { do_list_queue_size *= 2; DEBUG(4,("enlarging do_list_queue to %d\n", (int)do_list_queue_size)); - do_list_queue = Realloc(do_list_queue, do_list_queue_size); - if (! do_list_queue) { + dlq = Realloc(do_list_queue, do_list_queue_size); + if (! dlq) { DEBUG(0,("failure enlarging do_list_queue to %d bytes\n", (int)do_list_queue_size)); reset_do_list_queue(); } else { + do_list_queue = dlq; memset(do_list_queue + do_list_queue_size / 2, 0, do_list_queue_size / 2); } diff --git a/source3/client/clitar.c b/source3/client/clitar.c index d28e652b35..3ae4cafc18 100644 --- a/source3/client/clitar.c +++ b/source3/client/clitar.c @@ -1569,14 +1569,16 @@ static int read_inclusion_file(char *filename) } if ((strlen(buf) + 1 + inclusion_buffer_sofar) >= inclusion_buffer_size) { + char *ib; inclusion_buffer_size *= 2; - inclusion_buffer = Realloc(inclusion_buffer,inclusion_buffer_size); - if (! inclusion_buffer) { + ib = Realloc(inclusion_buffer,inclusion_buffer_size); + if (! ib) { DEBUG(0,("failure enlarging inclusion buffer to %d bytes\n", inclusion_buffer_size)); error = 1; break; } + else inclusion_buffer = ib; } safe_strcpy(inclusion_buffer + inclusion_buffer_sofar, buf, inclusion_buffer_size - inclusion_buffer_sofar); diff --git a/source3/groupdb/aliasdb.c b/source3/groupdb/aliasdb.c index a6876d0afc..eed417a699 100644 --- a/source3/groupdb/aliasdb.c +++ b/source3/groupdb/aliasdb.c @@ -140,16 +140,19 @@ LOCAL_GRP *iterate_getaliasnam(char *name, LOCAL_GRP_MEMBER **mem, int *num_mem) *************************************************************************/ BOOL add_domain_alias(LOCAL_GRP **alss, int *num_alss, LOCAL_GRP *als) { + LOCAL_GRP *talss; + if (alss == NULL || num_alss == NULL || als == NULL) { return False; } - (*alss) = Realloc((*alss), ((*num_alss)+1) * sizeof(LOCAL_GRP)); - if ((*alss) == NULL) + talss = Realloc((*alss), ((*num_alss)+1) * sizeof(LOCAL_GRP)); + if (talss == NULL) { return False; } + else (*alss) = talss; DEBUG(10,("adding alias %s(%s)\n", als->name, als->comment)); diff --git a/source3/groupdb/aliasfile.c b/source3/groupdb/aliasfile.c index 4b8bbe3079..2735fef38f 100644 --- a/source3/groupdb/aliasfile.c +++ b/source3/groupdb/aliasfile.c @@ -128,12 +128,13 @@ static char *get_alias_members(char *p, int *num_mem, LOCAL_GRP_MEMBER **members while (next_token(&p, name, ",", sizeof(fstring))) { + LOCAL_GRP_MEMBER *mbrs; DOM_SID sid; uint8 type; if (lookup_sid(name, &sid, &type)) { - (*members) = Realloc((*members), ((*num_mem)+1) * sizeof(LOCAL_GRP_MEMBER)); + mbrs = Realloc((*members), ((*num_mem)+1) * sizeof(LOCAL_GRP_MEMBER)); (*num_mem)++; } else @@ -141,10 +142,12 @@ static char *get_alias_members(char *p, int *num_mem, LOCAL_GRP_MEMBER **members DEBUG(0,("alias database: could not resolve alias named %s\n", name)); continue; } - if ((*members) == NULL) + if (mbrs == NULL) { return NULL; } + else (*members) = mbrs; + fstrcpy((*members)[(*num_mem)-1].name, name); (*members)[(*num_mem)-1].sid_use = type; sid_copy(&(*members)[(*num_mem)-1].sid, &sid); diff --git a/source3/groupdb/groupdb.c b/source3/groupdb/groupdb.c index 1f773d9f15..4b7795c57b 100644 --- a/source3/groupdb/groupdb.c +++ b/source3/groupdb/groupdb.c @@ -138,16 +138,19 @@ DOMAIN_GRP *iterate_getgroupnam(char *name, DOMAIN_GRP_MEMBER **mem, int *num_me *************************************************************************/ BOOL add_domain_group(DOMAIN_GRP **grps, int *num_grps, DOMAIN_GRP *grp) { + DOMAIN_GRP *tgrps; + if (grps == NULL || num_grps == NULL || grp == NULL) { return False; } - (*grps) = Realloc((*grps), ((*num_grps)+1) * sizeof(DOMAIN_GRP)); - if ((*grps) == NULL) + tgrps = Realloc((*grps), ((*num_grps)+1) * sizeof(DOMAIN_GRP)); + if (tgrps == NULL) { return False; } + else (*grps) = tgrps; DEBUG(10,("adding group %s(%s)\n", grp->name, grp->comment)); diff --git a/source3/groupdb/groupfile.c b/source3/groupdb/groupfile.c index 88d362e7d4..ba9027b4f6 100644 --- a/source3/groupdb/groupfile.c +++ b/source3/groupdb/groupfile.c @@ -128,11 +128,14 @@ static char *get_group_members(char *p, int *num_mem, DOMAIN_GRP_MEMBER **member while (next_token(&p, name, ",", sizeof(fstring))) { - (*members) = Realloc((*members), ((*num_mem)+1) * sizeof(DOMAIN_GRP_MEMBER)); - if ((*members) == NULL) + DOMAIN_GRP_MEMBER *mbrs; + + mbrs = Realloc((*members), ((*num_mem)+1) * sizeof(DOMAIN_GRP_MEMBER)); + if (mbrs == NULL) { return NULL; } + else (*members) = mbrs; fstrcpy((*members)[(*num_mem)].name, name); (*members)[(*num_mem)].attr = 0x07; (*num_mem)++; diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 97e7551586..268a1b1bd4 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -395,7 +395,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, fstring string_sid; fstring group_type; GROUP_MAP map; - GROUP_MAP *mapt=NULL; + GROUP_MAP *mapt; int ret; int entries=0; @@ -433,7 +433,14 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, decode_sid_name_use(group_type, map.sid_name_use); - mapt=(GROUP_MAP *)Realloc(mapt, (entries+1)*sizeof(GROUP_MAP)); + mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP)); + if (!mapt) { + DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n")); + if (*rmap) free(*rmap); + *rmap=NULL; + return False; + } + else (*rmap) = mapt; mapt[entries].gid = map.gid; sid_copy( &mapt[entries].sid, &map.sid); @@ -445,7 +452,6 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, entries++; } - *rmap=mapt; *num_entries=entries; return True; } @@ -661,6 +667,7 @@ BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids) struct passwd *pwd; int i=0; char *gr; + uid_t *u; *num_uids = 0; *uid=NULL; @@ -672,7 +679,12 @@ BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids) DEBUG(10, ("getting members\n")); while (gr && (*gr != (char)'\0')) { - (*uid)=Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + if (!u) { + DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n")); + return False; + } + else (*uid) = u; if( (pwd=getpwnam(gr)) !=NULL) { (*uid)[*num_uids]=pwd->pw_uid; @@ -685,7 +697,12 @@ BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids) setpwent(); while ((pwd=getpwent()) != NULL) { if (pwd->pw_gid==gid) { - (*uid)=Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + if (!u) { + DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n")); + return False; + } + else (*uid) = u; (*uid)[*num_uids]=pwd->pw_uid; (*num_uids)++; diff --git a/source3/lib/time.c b/source3/lib/time.c index 9714d4b9f8..12643b0522 100644 --- a/source3/lib/time.c +++ b/source3/lib/time.c @@ -121,7 +121,7 @@ Updated by Paul Eggert <eggert@twinsun.com> ********************************************************************/ static int TimeZoneFaster(time_t t) { - static struct dst_table {time_t start,end; int zone;} *dst_table = NULL; + static struct dst_table {time_t start,end; int zone;} *tdt, *dst_table = NULL; static int table_size = 0; int i; int zone = 0; @@ -141,11 +141,14 @@ static int TimeZoneFaster(time_t t) time_t low,high; zone = TimeZone(t); - dst_table = (struct dst_table *)Realloc(dst_table, + tdt = (struct dst_table *)Realloc(dst_table, sizeof(dst_table[0])*(i+1)); - if (!dst_table) { + if (!tdt) { + DEBUG(0,("TimeZoneFaster: out of memory!\n")); + if (dst_table) free (dst_table); table_size = 0; } else { + dst_table = tdt; table_size++; dst_table[i].zone = zone; diff --git a/source3/lib/util.c b/source3/lib/util.c index ac0a004a26..33d604e85f 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -166,11 +166,15 @@ char *get_numlist(char *p, uint32 **num, int *count) while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') { - (*num) = Realloc((*num), ((*count)+1) * sizeof(uint32)); - if ((*num) == NULL) + uint32 *tn; + + tn = Realloc((*num), ((*count)+1) * sizeof(uint32)); + if (tn == NULL) { + if (*num) free(*num); return NULL; } + else (*num) = tn; (*num)[(*count)] = val; (*count)++; p++; diff --git a/source3/lib/util_array.c b/source3/lib/util_array.c index 567c170834..dcb08d9ce7 100644 --- a/source3/lib/util_array.c +++ b/source3/lib/util_array.c @@ -58,15 +58,18 @@ void* add_copy_to_array(uint32 *len, void ***array, const void *item, void* add_item_to_array(uint32 *len, void ***array, void *item) { + void **tary; + if (len == NULL || array == NULL) { return NULL; } - (*array) = (void**)Realloc((*array), ((*len)+1)*sizeof((*array)[0])); + tary = (void**)Realloc((*array), ((*len)+1)*sizeof((*array)[0])); - if ((*array) != NULL) + if (tary != NULL) { + (*array) = tary; (*array)[(*len)] = item; (*len)++; return item; diff --git a/source3/lib/util_file.c b/source3/lib/util_file.c index a92eb15333..d80c09666b 100644 --- a/source3/lib/util_file.c +++ b/source3/lib/util_file.c @@ -287,7 +287,7 @@ char *fgets_slash(char *s2,int maxlen,FILE *f) if (!s2) { maxlen = MIN(maxlen,8); - s = (char *)Realloc(s,maxlen); + s = (char *)malloc(maxlen); } if (!s) return(NULL); @@ -327,9 +327,15 @@ char *fgets_slash(char *s2,int maxlen,FILE *f) } if (!s2 && len > maxlen-3) { + char *t; + maxlen *= 2; - s = (char *)Realloc(s,maxlen); - if (!s) return(NULL); + t = (char *)Realloc(s,maxlen); + if (!t) { + DEBUG(0,("fgets_slash: failed to expand buffer!\n")); + if (s) free(s); + return(NULL); + } else s = t; } } return(s); @@ -342,7 +348,7 @@ load from a pipe into memory char *file_pload(char *syscmd, size_t *size) { int fd, n; - char *p; + char *p, *tp; pstring buf; size_t total; @@ -353,11 +359,13 @@ char *file_pload(char *syscmd, size_t *size) total = 0; while ((n = read(fd, buf, sizeof(buf))) > 0) { - p = Realloc(p, total + n + 1); - if (!p) { + tp = Realloc(p, total + n + 1); + if (!tp) { + DEBUG(0,("file_pload: failed to exand buffer!\n")); close(fd); + if (p) free(p); return NULL; - } + } else p = tp; memcpy(p+total, buf, n); total += n; } diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index b7624486d6..609f5f2331 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -141,7 +141,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, pstring mask; file_info finfo; int i; - char *dirlist = NULL; + char *tdl, *dirlist = NULL; int dirlist_len = 0; int total_received = -1; BOOL First = True; @@ -259,12 +259,13 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, } /* and add them to the dirlist pool */ - dirlist = Realloc(dirlist,dirlist_len + data_len); + tdl = Realloc(dirlist,dirlist_len + data_len); - if (!dirlist) { - DEBUG(0,("Failed to expand dirlist\n")); + if (!tdl) { + DEBUG(0,("cli_list_new: Failed to expand dirlist\n")); break; } + else dirlist = tdl; /* put in a length for the last entry, to ensure we can chain entries into the next packet */ @@ -340,7 +341,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, int num_asked = (cli->max_xmit - 100)/DIR_STRUCT_SIZE; int num_received = 0; int i; - char *dirlist = NULL; + char *tdl, *dirlist = NULL; pstring mask; ZERO_ARRAY(status); @@ -385,10 +386,14 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, first = False; - dirlist = Realloc(dirlist,(num_received + received)*DIR_STRUCT_SIZE); + tdl = Realloc(dirlist,(num_received + received)*DIR_STRUCT_SIZE); - if (!dirlist) + if (!tdl) { + DEBUG(0,("cli_list_old: failed to expand dirlist")); + if (dirlist) free(dirlist); return 0; + } + else dirlist = tdl; p = smb_buf(cli->inbuf) + 3; diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c index ac50c7bf6d..c4e19b9375 100644 --- a/source3/libsmb/clitrans.c +++ b/source3/libsmb/clitrans.c @@ -147,6 +147,7 @@ BOOL cli_receive_trans(struct cli_state *cli,int trans, int this_data,this_param; uint8 eclass; uint32 ecode; + char *tdata; *data_len = *param_len = 0; @@ -187,8 +188,18 @@ BOOL cli_receive_trans(struct cli_state *cli,int trans, total_param = SVAL(cli->inbuf,smb_tprcnt); /* allocate it */ - *data = Realloc(*data,total_data); - *param = Realloc(*param,total_param); + tdata = Realloc(*data,total_data); + if (!tdata) { + DEBUG(0,("cli_receive_trans: failed to enlarge buffer")); + return False; + } + else *data = tdata; + tdata = Realloc(*param,total_param); + if (!tdata) { + DEBUG(0,("cli_receive_trans: failed to enlarge buffer")); + return False; + } + else *param = tdata; while (1) { this_data = SVAL(cli->inbuf,smb_drcnt); @@ -358,6 +369,7 @@ BOOL cli_receive_nt_trans(struct cli_state *cli, int this_data,this_param; uint8 eclass; uint32 ecode; + char *tdata; *data_len = *param_len = 0; @@ -389,8 +401,18 @@ BOOL cli_receive_nt_trans(struct cli_state *cli, total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount); /* allocate it */ - *data = Realloc(*data,total_data); - *param = Realloc(*param,total_param); + tdata = Realloc(*data,total_data); + if (!tdata) { + DEBUG(0,("cli_receive_nt_trans: failed to enlarge buffer")); + return False; + } + else *data = tdata; + tdata = Realloc(*param,total_param); + if (!tdata) { + DEBUG(0,("cli_receive_nt_trans: failed to enlarge buffer")); + return False; + } + else *param = tdata; while (1) { this_data = SVAL(cli->inbuf,smb_ntr_DataCount); diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c index 1982d9982c..d22297a948 100644 --- a/source3/locking/brlock.c +++ b/source3/locking/brlock.c @@ -218,6 +218,7 @@ BOOL brl_lock(SMB_DEV_T dev, SMB_INO_T ino, int fnum, TDB_DATA kbuf, dbuf; int count, i; struct lock_struct lock, *locks; + char *tp; kbuf = locking_key(dev,ino); @@ -246,8 +247,9 @@ BOOL brl_lock(SMB_DEV_T dev, SMB_INO_T ino, int fnum, } /* no conflicts - add it to the list of locks */ - dbuf.dptr = Realloc(dbuf.dptr, dbuf.dsize + sizeof(*locks)); - if (!dbuf.dptr) goto fail; + tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(*locks)); + if (!tp) goto fail; + else dbuf.dptr = tp; memcpy(dbuf.dptr + dbuf.dsize, &lock, sizeof(lock)); dbuf.dsize += sizeof(lock); tdb_store(tdb, kbuf, dbuf, TDB_REPLACE); diff --git a/source3/locking/posix.c b/source3/locking/posix.c index 2a8a7aacd7..833914c7aa 100644 --- a/source3/locking/posix.c +++ b/source3/locking/posix.c @@ -98,16 +98,19 @@ static BOOL add_fd_to_close_entry(files_struct *fsp) { TDB_DATA kbuf = locking_key_fsp(fsp); TDB_DATA dbuf; + char *tp; dbuf.dptr = NULL; dbuf = tdb_fetch(posix_pending_close_tdb, kbuf); - dbuf.dptr = Realloc(dbuf.dptr, dbuf.dsize + sizeof(int)); - if (!dbuf.dptr) { + tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(int)); + if (!tp) { DEBUG(0,("add_fd_to_close_entry: Realloc fail !\n")); + if (dbuf.dptr) free(dbuf.dptr); return False; } + else dbuf.dptr = tp; memcpy(dbuf.dptr + dbuf.dsize, &fsp->fd, sizeof(int)); dbuf.dsize += sizeof(int); @@ -354,6 +357,7 @@ static BOOL add_posix_lock_entry(files_struct *fsp, SMB_OFF_T start, SMB_OFF_T s TDB_DATA kbuf = locking_key_fsp(fsp); TDB_DATA dbuf; struct posix_lock pl; + char *tp; dbuf.dptr = NULL; @@ -370,11 +374,12 @@ static BOOL add_posix_lock_entry(files_struct *fsp, SMB_OFF_T start, SMB_OFF_T s pl.size = size; pl.lock_type = lock_type; - dbuf.dptr = Realloc(dbuf.dptr, dbuf.dsize + sizeof(pl)); - if (!dbuf.dptr) { + tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(pl)); + if (!tp) { DEBUG(0,("add_posix_lock_entry: Realloc fail !\n")); goto fail; } + else dbuf.dptr = tp; memcpy(dbuf.dptr + dbuf.dsize, &pl, sizeof(pl)); dbuf.dsize += sizeof(pl); diff --git a/source3/msdfs/msdfs.c b/source3/msdfs/msdfs.c index 2890b05b52..1fa16d4006 100644 --- a/source3/msdfs/msdfs.c +++ b/source3/msdfs/msdfs.c @@ -398,11 +398,12 @@ static int setup_ver2_dfs_referral(char* pathname, char** ppdata, /* add the unexplained 0x16 bytes */ reply_size += 0x16; - pdata = *ppdata = Realloc(pdata,reply_size); + pdata = Realloc(pdata,reply_size); if(pdata == NULL) { DEBUG(0,("malloc failed for Realloc!\n")); return -1; } + else *ppdata = pdata; /* copy in the dfs requested paths.. required for offset calculations */ memcpy(pdata+uni_reqpathoffset1,uni_requestedpath,requestedpathlen); @@ -476,11 +477,12 @@ static int setup_ver3_dfs_referral(char* pathname, char** ppdata, reply_size += (strlen(junction->referral_list[i].alternate_path)+1)*2; } - pdata = *ppdata = Realloc(pdata,reply_size); + pdata = Realloc(pdata,reply_size); if(pdata == NULL) { DEBUG(0,("version3 referral setup: malloc failed for Realloc!\n")); return -1; } + else *ppdata = pdata; /* create the header */ SSVAL(pdata,0,reqpathlen-2); /* path consumed */ diff --git a/source3/nsswitch/wb_client.c b/source3/nsswitch/wb_client.c index 2a29773b9e..f5585557fb 100644 --- a/source3/nsswitch/wb_client.c +++ b/source3/nsswitch/wb_client.c @@ -278,7 +278,7 @@ static int wb_getgroups(char *user, gid_t **groups) int winbind_initgroups(char *user, gid_t gid) { - gid_t *groups = NULL; + gid_t *tgr, *groups = NULL; int result; char *sep; @@ -310,13 +310,14 @@ int winbind_initgroups(char *user, gid_t gid) /* Add group to list if necessary */ if (!is_member) { - groups = Realloc(groups, sizeof(gid_t) * ngroups + 1); + tgr = Realloc(groups, sizeof(gid_t) * ngroups + 1); - if (!groups) { + if (!tgr) { errno = ENOMEM; result = -1; goto done; } + else groups = tgr; groups[ngroups] = gid; ngroups++; diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index ed4db07dda..ff357dc098 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -764,7 +764,7 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state) uint32 total_entries = 0; struct winbindd_domain *domain; struct getent_state groups; - char *extra_data = NULL; + char *ted, *extra_data = NULL; int extra_data_len = 0, i; DEBUG(3, ("[%5d]: list groups\n", state->pid)); @@ -794,12 +794,15 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state) account names to sizeof(fstring) = 128 characters. */ total_entries += groups.num_sam_entries; - extra_data = Realloc(extra_data, + ted = Realloc(extra_data, sizeof(fstring) * total_entries); - if (!extra_data) { + if (!ted) { + DEBUG(0,("winbindd_list_groups: failed to enlarge buffer!\n")); + if (extra_data) free(extra_data); return WINBINDD_ERROR; } + else extra_data = ted; /* Pack group list into extra data fields */ diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c index 9520fc218b..21f1afa6a7 100644 --- a/source3/nsswitch/winbindd_misc.c +++ b/source3/nsswitch/winbindd_misc.c @@ -136,7 +136,7 @@ enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state { struct winbindd_domain *domain; int total_entries = 0, extra_data_len = 0; - char *extra_data = NULL; + char *ted, *extra_data = NULL; DEBUG(3, ("[%5d]: list trusted domains\n", state->pid)); @@ -149,10 +149,15 @@ enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state /* Add domain to list */ total_entries++; - extra_data = Realloc(extra_data, sizeof(fstring) * + ted = Realloc(extra_data, sizeof(fstring) * total_entries); - if (!extra_data) return WINBINDD_ERROR; + if (!ted) { + DEBUG(0,("winbindd_list_trusted_domains: failed to enlarge buffer!\n")); + if (extra_data) free(extra_data); + return WINBINDD_ERROR; + } + else extra_data = ted; memcpy(&extra_data[extra_data_len], domain->name, strlen(domain->name)); diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c index 30416e76d7..804d3deebb 100644 --- a/source3/nsswitch/winbindd_user.c +++ b/source3/nsswitch/winbindd_user.c @@ -594,7 +594,7 @@ enum winbindd_result winbindd_list_users(struct winbindd_cli_state *state) SAM_DISPINFO_CTR ctr; SAM_DISPINFO_1 info1; uint32 num_entries = 0, total_entries = 0; - char *extra_data = NULL; + char *ted, *extra_data = NULL; int extra_data_len = 0; DEBUG(3, ("[%5d]: list users\n", state->pid)); @@ -635,12 +635,15 @@ enum winbindd_result winbindd_list_users(struct winbindd_cli_state *state) total_entries += num_entries; - extra_data = Realloc(extra_data, sizeof(fstring) * + ted = Realloc(extra_data, sizeof(fstring) * total_entries); - if (!extra_data) { + if (!ted) { + DEBUG(0,("winbindd_list_users: failed to enlarge buffer!\n")); + if (extra_data) free(extra_data); return WINBINDD_ERROR; } + else extra_data = ted; /* Pack user list into extra data fields */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index cb7f9f35c3..b004265261 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1782,16 +1782,25 @@ static int add_a_service(service * pservice, char *name) /* if not, then create one */ if (i == iNumServices) { - ServicePtrs = - (service **) Realloc(ServicePtrs, - sizeof(service *) * - num_to_alloc); - if (ServicePtrs) + service **tsp; + + tsp = (service **) Realloc(ServicePtrs, + sizeof(service *) * + num_to_alloc); + + if (!tsp) { + DEBUG(0,("add_a_service: failed to enlarge ServicePtrs!\n")); + return (-1); + } + else { + ServicePtrs = tsp; ServicePtrs[iNumServices] = (service *) malloc(sizeof(service)); - - if (!ServicePtrs || !ServicePtrs[iNumServices]) + } + if (!ServicePtrs[iNumServices]) { + DEBUG(0,("add_a_service: out of memory!\n")); return (-1); + } iNumServices++; } diff --git a/source3/param/params.c b/source3/param/params.c index 61baf9517c..9416965919 100644 --- a/source3/param/params.c +++ b/source3/param/params.c @@ -238,13 +238,16 @@ static BOOL Section( myFILE *InFile, BOOL (*sfunc)(char *) ) /* Check that the buffer is big enough for the next character. */ if( i > (bSize - 2) ) { - bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); - if( NULL == bufr ) + char *tb; + + tb = Realloc( bufr, bSize +BUFR_INC ); + if( NULL == tb ) { DEBUG(0, ("%s Memory re-allocation failure.", func) ); return( False ); } + bufr = tb; + bSize += BUFR_INC; } /* Handle a single character. */ @@ -332,13 +335,16 @@ static BOOL Parameter( myFILE *InFile, BOOL (*pfunc)(char *, char *), int c ) if( i > (bSize - 2) ) /* Ensure there's space for next char. */ { - bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); - if( NULL == bufr ) + char *tb; + + tb = Realloc( bufr, bSize + BUFR_INC ); + if( NULL == tb ) { DEBUG(0, ("%s Memory re-allocation failure.", func) ); return( False ); } + bufr = tb; + bSize += BUFR_INC; } switch( c ) @@ -397,13 +403,16 @@ static BOOL Parameter( myFILE *InFile, BOOL (*pfunc)(char *, char *), int c ) if( i > (bSize - 2) ) /* Make sure there's enough room. */ { - bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); - if( NULL == bufr ) + char *tb; + + tb = Realloc( bufr, bSize + BUFR_INC ); + if( NULL == tb ) { DEBUG(0, ("%s Memory re-allocation failure.", func) ); return( False ); } + bufr = tb; + bSize += BUFR_INC; } switch( c ) diff --git a/source3/passdb/ldap.c b/source3/passdb/ldap.c index 9987990cc2..ee99664af4 100644 --- a/source3/passdb/ldap.c +++ b/source3/passdb/ldap.c @@ -378,7 +378,7 @@ static void ldap_get_sam_passwd(LDAP *ldap_struct, LDAPMessage *entry, ************************************************************************/ static void make_a_mod(LDAPMod ***modlist,int modop, char *attribute, char *value) { - LDAPMod **mods; + LDAPMod **mods, **tmods; int i; int j; @@ -386,12 +386,13 @@ static void make_a_mod(LDAPMod ***modlist,int modop, char *attribute, char *valu if (mods == NULL) { - mods = (LDAPMod **)malloc( sizeof(LDAPMod *) ); - if (mods == NULL) + tmods = (LDAPMod **)malloc( sizeof(LDAPMod *) ); + if (tmods == NULL) { DEBUG(0,("make_a_mod: out of memory!\n")); return; } + mods = tmods; mods[0] = NULL; } @@ -406,12 +407,13 @@ static void make_a_mod(LDAPMod ***modlist,int modop, char *attribute, char *valu if (mods[i] == NULL) { - mods = (LDAPMod **)Realloc( mods, (i+2) * sizeof( LDAPMod * ) ); - if (mods == NULL) + tmods = (LDAPMod **)Realloc( mods, (i+2) * sizeof( LDAPMod * ) ); + if (tmods == NULL) { DEBUG(0,("make_a_mod: out of memory!\n")); return; } + mods = tmods; mods[i] = (LDAPMod *)malloc( sizeof( LDAPMod ) ); if (mods[i] == NULL) { @@ -426,18 +428,21 @@ static void make_a_mod(LDAPMod ***modlist,int modop, char *attribute, char *valu if (value ! = NULL ) { + char **tmval; + j = 0; if ( mods[ i ]->mod_values ! = NULL ) { for ( ; mods[ i ]->mod_values[ j ] ! = NULL; j++ ); } - mods[ i ]->mod_values = (char **)Realloc(mods[ i ]->mod_values, + tmval = (char **)Realloc(mods[ i ]->mod_values, (j+2) * sizeof( char * )); - if ( mods[ i ]->mod_values == NULL) + if ( tmval == NULL) { DEBUG(0, "make_a_mod: Memory allocation failure!\n"); return; } + mods[ i ]->mod_values = tmval; mods[ i ]->mod_values[ j ] = strdup(value); mods[ i ]->mod_values[ j + 1 ] = NULL; } diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 5482d1608a..20bdcda5ec 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -316,6 +316,7 @@ get a form struct list int get_ntforms(nt_forms_struct **list) { TDB_DATA kbuf, newkey, dbuf; + nt_forms_struct *tl; nt_forms_struct form; int ret; int i; @@ -336,11 +337,12 @@ int get_ntforms(nt_forms_struct **list) safe_free(dbuf.dptr); if (ret != dbuf.dsize) continue; - *list = Realloc(*list, sizeof(nt_forms_struct)*(n+1)); - if (!*list) { + tl = Realloc(*list, sizeof(nt_forms_struct)*(n+1)); + if (!tl) { DEBUG(0,("get_ntforms: Realloc fail.\n")); return 0; } + *list = tl; (*list)[n] = form; n++; } @@ -385,6 +387,7 @@ BOOL add_a_form(nt_forms_struct **list, const FORM *form, int *count) int n=0; BOOL update; fstring form_name; + nt_forms_struct *tl; /* * NT tries to add forms even when @@ -404,8 +407,11 @@ BOOL add_a_form(nt_forms_struct **list, const FORM *form, int *count) } if (update==False) { - if((*list=Realloc(*list, (n+1)*sizeof(nt_forms_struct))) == NULL) + if((tl=Realloc(*list, (n+1)*sizeof(nt_forms_struct))) == NULL) { + DEBUG(0,("add_a_form: failed to enlarge forms list!\n")); return False; + } + *list = tl; unistr2_to_ascii((*list)[n].name, &form->name, sizeof((*list)[n].name)-1); (*count)++; } @@ -496,6 +502,7 @@ int get_ntdrivers(fstring **list, char *architecture, uint32 version) { int total=0; fstring short_archi; + fstring *fl; pstring key; TDB_DATA kbuf, newkey; @@ -507,8 +514,11 @@ int get_ntdrivers(fstring **list, char *architecture, uint32 version) newkey = tdb_nextkey(tdb_drivers, kbuf), safe_free(kbuf.dptr), kbuf=newkey) { if (strncmp(kbuf.dptr, key, strlen(key)) != 0) continue; - if((*list = Realloc(*list, sizeof(fstring)*(total+1))) == NULL) + if((fl = Realloc(*list, sizeof(fstring)*(total+1))) == NULL) { + DEBUG(0,("get_ntdrivers: failed to enlarge list!\n")); return -1; + } + else *list = fl; fstrcpy((*list)[total], kbuf.dptr+strlen(key)); total++; @@ -1520,7 +1530,15 @@ static uint32 add_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver) } if (len != buflen) { - buf = (char *)Realloc(buf, len); + char *tb; + + tb = (char *)Realloc(buf, len); + if (!tb) { + DEBUG(0,("add_a_printer_driver_3: failed to enlarge buffer\n!")); + ret = -1; + goto done; + } + else buf = tb; buflen = len; goto again; } @@ -1533,6 +1551,7 @@ static uint32 add_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver) ret = tdb_store(tdb_drivers, kbuf, dbuf, TDB_REPLACE); +done: if (ret) DEBUG(0,("add_a_printer_driver_3: Adding driver with key %s failed.\n", key )); @@ -1630,10 +1649,15 @@ static uint32 get_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 **info_ptr, i=0; while (len < dbuf.dsize) { - driver.dependentfiles = (fstring *)Realloc(driver.dependentfiles, + fstring *tddfs; + + tddfs = (fstring *)Realloc(driver.dependentfiles, sizeof(fstring)*(i+2)); - if (driver.dependentfiles == NULL) + if (tddfs == NULL) { + DEBUG(0,("get_a_printer_driver_3: failed to enlarge buffer!\n")); break; + } + else driver.dependentfiles = tddfs; len += tdb_unpack(dbuf.dptr+len, dbuf.dsize-len, "f", &driver.dependentfiles[i]); @@ -1936,7 +1960,15 @@ static uint32 update_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info) len += pack_specifics(info->specific, buf+len, buflen-len); if (buflen != len) { - buf = (char *)Realloc(buf, len); + char *tb; + + tb = (char *)Realloc(buf, len); + if (!tb) { + DEBUG(0,("update_a_printer_2: failed to enlarge buffer!\n")); + ret = -1; + goto done; + } + else buf = tb; buflen = len; goto again; } @@ -1951,6 +1983,7 @@ static uint32 update_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info) ret = tdb_store(tdb_printers, kbuf, dbuf, TDB_REPLACE); +done: if (ret == -1) DEBUG(8, ("error updating printer to tdb on disk\n")); @@ -2793,7 +2826,15 @@ static uint32 update_driver_init_2(NT_PRINTER_INFO_LEVEL_2 *info) len += pack_specifics(info->specific, buf+len, buflen-len); if (buflen != len) { - buf = (char *)Realloc(buf, len); + char *tb; + + tb = (char *)Realloc(buf, len); + if (!tb) { + DEBUG(0, ("update_driver_init_2: failed to enlarge buffer!\n")); + ret = -1; + goto done; + } + else buf = tb; buflen = len; goto again; } @@ -2807,6 +2848,7 @@ static uint32 update_driver_init_2(NT_PRINTER_INFO_LEVEL_2 *info) ret = tdb_store(tdb_drivers, kbuf, dbuf, TDB_REPLACE); +done: if (ret == -1) DEBUG(8, ("update_driver_init_2: error updating printer init to tdb on disk\n")); diff --git a/source3/rpc_parse/parse_creds.c b/source3/rpc_parse/parse_creds.c index 7bdbe65880..ae8ba23a56 100644 --- a/source3/rpc_parse/parse_creds.c +++ b/source3/rpc_parse/parse_creds.c @@ -90,8 +90,7 @@ BOOL make_creds_unix_sec(CREDS_UNIX_SEC *r_u, r_u->uid = uid; r_u->gid = gid; r_u->num_grps = num_grps; - r_u->grps = (uint32*)Realloc(NULL, sizeof(r_u->grps[0]) * - r_u->num_grps); + r_u->grps = (uint32*)malloc(sizeof(r_u->grps[0]) * r_u->num_grps); if (r_u->grps == NULL && num_grps != 0) { return False; @@ -123,14 +122,17 @@ BOOL creds_io_unix_sec(char *desc, CREDS_UNIX_SEC *r_u, prs_struct *ps, int dept prs_uint32("num_grps", ps, depth, (uint32 *)&(r_u->num_grps)); if (r_u->num_grps != 0) { - r_u->grps = (uint32*)Realloc(r_u->grps, + uint32 *tgr; + + tgr = (uint32*)Realloc(r_u->grps, sizeof(r_u->grps[0]) * r_u->num_grps); - if (r_u->grps == NULL) + if (tgr == NULL) { creds_free_unix_sec(r_u); return False; } + else r_u->grps = tgr; } for (i = 0; i < r_u->num_grps; i++) { @@ -165,8 +167,7 @@ BOOL make_creds_nt_sec(CREDS_NT_SEC *r_u, sid_copy(&r_u->sid, sid); r_u->num_grps = num_grps; - r_u->grp_rids = (uint32*)Realloc(NULL, sizeof(r_u->grp_rids[0]) * - r_u->num_grps); + r_u->grp_rids = (uint32*)malloc(sizeof(r_u->grp_rids[0]) * r_u->num_grps); if (r_u->grp_rids == NULL && num_grps != 0) { @@ -199,14 +200,17 @@ BOOL creds_io_nt_sec(char *desc, CREDS_NT_SEC *r_u, prs_struct *ps, int depth) prs_uint32("num_grps", ps, depth, &(r_u->num_grps)); if (r_u->num_grps != 0) { - r_u->grp_rids = (uint32*)Realloc(r_u->grp_rids, + uint32 *tgrid; + + tgrid = (uint32*)Realloc(r_u->grp_rids, sizeof(r_u->grp_rids[0]) * r_u->num_grps); - if (r_u->grp_rids == NULL) + if (tgrid == NULL) { creds_free_nt_sec(r_u); return False; } + else r_u->grp_rids = tgrid; } for (i = 0; i < r_u->num_grps; i++) { diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c index b568995752..dd2c4a541a 100644 --- a/source3/rpc_parse/parse_spoolss.c +++ b/source3/rpc_parse/parse_spoolss.c @@ -1861,12 +1861,17 @@ static BOOL smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, uint16 an extra NULL for termination */ if (l_chaine > 0) { + uint16 *tc2; + realloc_size = (l_chaine2+l_chaine+2)*sizeof(uint16); /* Yes this should be realloc - it's freed below. JRA */ - if((chaine2=(uint16 *)Realloc(chaine2, realloc_size)) == NULL) + if((tc2=(uint16 *)Realloc(chaine2, realloc_size)) == NULL) { + if (chaine2) free(chaine2); return False; + } + else chaine2 = tc2; memcpy(chaine2+l_chaine2, chaine.buffer, (l_chaine+1)*sizeof(uint16)); l_chaine2+=l_chaine+1; } @@ -4703,7 +4708,7 @@ BOOL spool_io_printer_driver_info_level_6(char *desc, SPOOL_PRINTER_DRIVER_INFO_ ********************************************************************/ static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar) { - fstring f; + fstring f, *tar; int n = 0; char *src; @@ -4715,7 +4720,9 @@ static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar) while (src < ((char *)buf5->buffer) + buf5->buf_len*2) { rpcstr_pull(f, src, sizeof(f)-1, -1, 0); src = skip_unibuf(src, 2*buf5->buf_len - PTR_DIFF(src,buf5->buffer)); - *ar = (fstring *)Realloc(*ar, sizeof(fstring)*(n+2)); + tar = (fstring *)Realloc(*ar, sizeof(fstring)*(n+2)); + if (!tar) return False; + else *ar = tar; fstrcpy((*ar)[n], f); n++; } @@ -4993,9 +5000,11 @@ BOOL uni_2_asc_printer_driver_3(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 *uni, DEBUGADD(8,( "monitorname: %s\n", d->monitorname)); DEBUGADD(8,( "defaultdatatype: %s\n", d->defaultdatatype)); - uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles ); - - return True; + if (uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles )) + return True; + + free(*asc); + return False; } /******************************************************************* @@ -5038,10 +5047,16 @@ BOOL uni_2_asc_printer_driver_6(SPOOL_PRINTER_DRIVER_INFO_LEVEL_6 *uni, DEBUGADD(8,( "monitorname: %s\n", d->monitorname)); DEBUGADD(8,( "defaultdatatype: %s\n", d->defaultdatatype)); - uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles ); - uniarray_2_dosarray(&uni->previousnames, &d->previousnames ); - + if (!uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles )) + goto error; + if (!uniarray_2_dosarray(&uni->previousnames, &d->previousnames )) + goto error; + return True; + +error: + free(*asc); + return False; } BOOL uni_2_asc_printer_info_2(const SPOOL_PRINTER_INFO_LEVEL_2 *uni, diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index f002ceabd2..023c9a1203 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -915,20 +915,24 @@ static BOOL convert_printer_info(const SPOOL_PRINTER_INFO_LEVEL *uni, static BOOL convert_printer_driver_info(const SPOOL_PRINTER_DRIVER_INFO_LEVEL *uni, NT_PRINTER_DRIVER_INFO_LEVEL *printer, uint32 level) { + BOOL result = True; + switch (level) { case 3: printer->info_3=NULL; - uni_2_asc_printer_driver_3(uni->info_3, &printer->info_3); + if (!uni_2_asc_printer_driver_3(uni->info_3, &printer->info_3)) + result = False; break; case 6: printer->info_6=NULL; - uni_2_asc_printer_driver_6(uni->info_6, &printer->info_6); + if (!uni_2_asc_printer_driver_6(uni->info_6, &printer->info_6)) + result = False; break; default: break; } - return True; + return result; } BOOL convert_devicemode(char *printername, const DEVICEMODE *devmode, @@ -2200,7 +2204,7 @@ static BOOL construct_notify_printer_info(SPOOL_NOTIFY_INFO *info, int uint16 type; uint16 field; - SPOOL_NOTIFY_INFO_DATA *current_data; + SPOOL_NOTIFY_INFO_DATA *current_data, *tid; NT_PRINTER_INFO_LEVEL *printer = NULL; print_queue_struct *queue=NULL; @@ -2220,9 +2224,12 @@ static BOOL construct_notify_printer_info(SPOOL_NOTIFY_INFO *info, int if (!search_notify(type, field, &j) ) continue; - if((info->data=(SPOOL_NOTIFY_INFO_DATA *)Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + if((tid=(SPOOL_NOTIFY_INFO_DATA *)Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + DEBUG(0,("construct_notify_printer_info: failed to enlarge buffer info->data!\n")); return False; } + else info->data = tid; + current_data=&info->data[info->count]; construct_info_data(current_data, type, field, id); @@ -2256,7 +2263,7 @@ static BOOL construct_notify_jobs_info(print_queue_struct *queue, uint16 type; uint16 field; - SPOOL_NOTIFY_INFO_DATA *current_data; + SPOOL_NOTIFY_INFO_DATA *current_data, *tid; DEBUG(4,("construct_notify_jobs_info\n")); @@ -2272,9 +2279,11 @@ static BOOL construct_notify_jobs_info(print_queue_struct *queue, if (!search_notify(type, field, &j) ) continue; - if((info->data=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + if((tid=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + DEBUG(0,("construct_notify_jobs_info: failed to enlarg buffer info->data!\n")); return False; } + else info->data = tid; current_data=&(info->data[info->count]); @@ -2877,7 +2886,7 @@ static BOOL enum_all_printers_info_1(uint32 flags, NEW_BUFFER *buffer, uint32 of int snum; int i; int n_services=lp_numservices(); - PRINTER_INFO_1 *printers=NULL; + PRINTER_INFO_1 *tp, *printers=NULL; PRINTER_INFO_1 current_prt; DEBUG(4,("enum_all_printers_info_1\n")); @@ -2887,10 +2896,13 @@ static BOOL enum_all_printers_info_1(uint32 flags, NEW_BUFFER *buffer, uint32 of DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum)); if (construct_printer_info_1(flags, ¤t_prt, snum)) { - if((printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_1))) == NULL) { + if((tp=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_1))) == NULL) { + DEBUG(0,("enum_all_printers_info_1: failed to enlarge printers buffer!\n")); + safe_free(printers); *returned=0; return ERRnomem; } + else printers = tp; DEBUG(4,("ReAlloced memory for [%d] PRINTER_INFO_1\n", *returned)); memcpy(&printers[*returned], ¤t_prt, sizeof(PRINTER_INFO_1)); (*returned)++; @@ -3024,7 +3036,7 @@ static BOOL enum_all_printers_info_2(NEW_BUFFER *buffer, uint32 offered, uint32 int snum; int i; int n_services=lp_numservices(); - PRINTER_INFO_2 *printers=NULL; + PRINTER_INFO_2 *tp, *printers=NULL; PRINTER_INFO_2 current_prt; for (snum=0; snum<n_services; snum++) { @@ -3032,8 +3044,13 @@ static BOOL enum_all_printers_info_2(NEW_BUFFER *buffer, uint32 offered, uint32 DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum)); if (construct_printer_info_2(¤t_prt, snum)) { - if((printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_2))) == NULL) + if((tp=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_2))) == NULL) { + DEBUG(0,("enum_all_printers_info_2: failed to enlarge printers buffer!\n")); + safe_free(printers); + *returned = 0; return ERRnomem; + } + else printers = tp; DEBUG(4,("ReAlloced memory for [%d] PRINTER_INFO_2\n", *returned)); memcpy(&printers[*returned], ¤t_prt, sizeof(PRINTER_INFO_2)); (*returned)++; @@ -3460,6 +3477,7 @@ static void init_unistr_array(uint16 **uni_array, fstring *char_array, char *ser int j=0; char *v; pstring line; + uint16 *tuary; DEBUG(6,("init_unistr_array\n")); *uni_array=NULL; @@ -3474,10 +3492,11 @@ static void init_unistr_array(uint16 **uni_array, fstring *char_array, char *ser if (strlen(v) == 0) break; slprintf(line, sizeof(line)-1, "\\\\%s%s", servername, v); DEBUGADD(6,("%d:%s:%d\n", i, line, strlen(line))); - if((*uni_array=Realloc(*uni_array, (j+strlen(line)+2)*sizeof(uint16))) == NULL) { + if((tuary=Realloc(*uni_array, (j+strlen(line)+2)*sizeof(uint16))) == NULL) { DEBUG(0,("init_unistr_array: Realloc error\n" )); return; } + else *uni_array = tuary; j += (rpcstr_push((*uni_array+j), line, sizeof(uint16)*strlen(line)+2, 0)/ sizeof(uint16)); i++; } @@ -4984,7 +5003,7 @@ static uint32 enumprinterdrivers_level1(fstring servername, fstring architecture fstring *list = NULL; NT_PRINTER_DRIVER_INFO_LEVEL driver; - DRIVER_INFO_1 *driver_info_1=NULL; + DRIVER_INFO_1 *tdi1, *driver_info_1=NULL; *returned=0; @@ -4999,10 +5018,13 @@ static uint32 enumprinterdrivers_level1(fstring servername, fstring architecture return ERRnomem; if(ndrivers != 0) { - if((driver_info_1=(DRIVER_INFO_1 *)Realloc(driver_info_1, (*returned+ndrivers) * sizeof(DRIVER_INFO_1))) == NULL) { + if((tdi1=(DRIVER_INFO_1 *)Realloc(driver_info_1, (*returned+ndrivers) * sizeof(DRIVER_INFO_1))) == NULL) { + DEBUG(0,("enumprinterdrivers_level1: failed to enlarge driver info buffer!\n")); + safe_free(driver_info_1); safe_free(list); return ERRnomem; } + else driver_info_1 = tdi1; } for (i=0; i<ndrivers; i++) { @@ -5059,7 +5081,7 @@ static uint32 enumprinterdrivers_level2(fstring servername, fstring architecture fstring *list = NULL; NT_PRINTER_DRIVER_INFO_LEVEL driver; - DRIVER_INFO_2 *driver_info_2=NULL; + DRIVER_INFO_2 *tdi2, *driver_info_2=NULL; *returned=0; @@ -5074,10 +5096,13 @@ static uint32 enumprinterdrivers_level2(fstring servername, fstring architecture return ERRnomem; if(ndrivers != 0) { - if((driver_info_2=(DRIVER_INFO_2 *)Realloc(driver_info_2, (*returned+ndrivers) * sizeof(DRIVER_INFO_2))) == NULL) { + if((tdi2=(DRIVER_INFO_2 *)Realloc(driver_info_2, (*returned+ndrivers) * sizeof(DRIVER_INFO_2))) == NULL) { + DEBUG(0,("enumprinterdrivers_level2: failed to enlarge driver info buffer!\n")); + safe_free(driver_info_2); safe_free(list); return ERRnomem; } + else driver_info_2 = tdi2; } for (i=0; i<ndrivers; i++) { @@ -5135,7 +5160,7 @@ static uint32 enumprinterdrivers_level3(fstring servername, fstring architecture fstring *list = NULL; NT_PRINTER_DRIVER_INFO_LEVEL driver; - DRIVER_INFO_3 *driver_info_3=NULL; + DRIVER_INFO_3 *tdi3, *driver_info_3=NULL; *returned=0; @@ -5150,10 +5175,13 @@ static uint32 enumprinterdrivers_level3(fstring servername, fstring architecture return ERRnomem; if(ndrivers != 0) { - if((driver_info_3=(DRIVER_INFO_3 *)Realloc(driver_info_3, (*returned+ndrivers) * sizeof(DRIVER_INFO_3))) == NULL) { + if((tdi3=(DRIVER_INFO_3 *)Realloc(driver_info_3, (*returned+ndrivers) * sizeof(DRIVER_INFO_3))) == NULL) { + DEBUG(0,("enumprinterdrivers_level3: failed to enlarge driver info buffer!\n")); + safe_free(driver_info_3); safe_free(list); return ERRnomem; } + else driver_info_3 = tdi3; } for (i=0; i<ndrivers; i++) { @@ -5811,7 +5839,10 @@ uint32 _spoolss_addprinterdriver(pipes_struct *p, SPOOL_Q_ADDPRINTERDRIVER *q_u, get_current_user(&user, p); - convert_printer_driver_info(info, &driver, level); + if (!convert_printer_driver_info(info, &driver, level)) { + err = ERRnomem; + goto done; + } DEBUG(5,("Cleaning driver's information\n")); if ((err = clean_up_driver_struct(driver, level, &user)) != ERRsuccess ) diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index ad7e8aac86..6408bbff9e 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1123,10 +1123,16 @@ static int get_server_info(uint32 servertype, if (!*ptr) continue; if (count == alloced) { + struct srv_info_struct *ts; + alloced += 10; - (*servers) = (struct srv_info_struct *) + ts = (struct srv_info_struct *) Realloc(*servers,sizeof(**servers)*alloced); - if (!(*servers)) return(0); + if (!ts) { + DEBUG(0,("get_server_info: failed to enlarge servers info struct!\n")); + return(0); + } + else *servers = ts; memset((char *)((*servers)+count),'\0',sizeof(**servers)*(alloced-count)); } s = &(*servers)[count]; diff --git a/source3/smbwrapper/smbw_dir.c b/source3/smbwrapper/smbw_dir.c index 4f6c18eb7f..d9dae454bb 100644 --- a/source3/smbwrapper/smbw_dir.c +++ b/source3/smbwrapper/smbw_dir.c @@ -80,16 +80,19 @@ add a entry to a directory listing static void smbw_dir_add(struct file_info *finfo, const char *mask, void *state) { + struct file_info *cdl; + DEBUG(5,("%s\n", finfo->name)); if (cur_dir->malloced == cur_dir->count) { - cur_dir->list = (struct file_info *)Realloc(cur_dir->list, + cdl = (struct file_info *)Realloc(cur_dir->list, sizeof(cur_dir->list[0])* (cur_dir->count+100)); if (!cur_dir->list) { /* oops */ return; } + cur_dir->list = cdl; cur_dir->malloced += 100; } |