diff options
author | Andrew Tridgell <tridge@samba.org> | 2008-04-17 15:20:39 +0200 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2008-04-17 15:20:39 +0200 |
commit | 11703b298685c9984a6a3c3a64eddb8a1a516b90 (patch) | |
tree | e747019d16a998f1a61f28762b2aaaab673a0d08 /source4 | |
parent | 107ab090e23dfc517bc74bb553315cd3528e1f7d (diff) | |
download | samba-11703b298685c9984a6a3c3a64eddb8a1a516b90.tar.gz samba-11703b298685c9984a6a3c3a64eddb8a1a516b90.tar.bz2 samba-11703b298685c9984a6a3c3a64eddb8a1a516b90.zip |
fix the overflow/wrap checks in Samba4 for new gcc optimisation behavior
The approach I have used is as set out in
https://www.securecoding.cert.org/confluence/display/seccode/ARR38-C.+Do+not+add+or+subtract+an+integer+to+a+pointer+if+the+resulting+value+does+not+refer+to+an+element+within+the+array
(This used to be commit 92d5fb531db39be655f0cbd2d75b5f675a0a4cfa)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/libcli/raw/rawrequest.c | 6 | ||||
-rw-r--r-- | source4/libcli/raw/rawtrans.c | 6 | ||||
-rw-r--r-- | source4/libcli/smb2/request.c | 8 | ||||
-rw-r--r-- | source4/smb_server/smb/request.c | 6 |
4 files changed, 13 insertions, 13 deletions
diff --git a/source4/libcli/raw/rawrequest.c b/source4/libcli/raw/rawrequest.c index a42c710547..ef856c6ea1 100644 --- a/source4/libcli/raw/rawrequest.c +++ b/source4/libcli/raw/rawrequest.c @@ -700,10 +700,10 @@ DATA_BLOB smbcli_req_pull_blob(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_ static bool smbcli_req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t count) { /* be careful with wraparound! */ - if (ptr < bufinfo->data || - ptr >= bufinfo->data + bufinfo->data_size || + if ((uintptr_t)ptr < (uintptr_t)bufinfo->data || + (uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size || count > bufinfo->data_size || - ptr + count > bufinfo->data + bufinfo->data_size) { + (uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) { return true; } return false; diff --git a/source4/libcli/raw/rawtrans.c b/source4/libcli/raw/rawtrans.c index 29881afd2b..0f15b2151b 100644 --- a/source4/libcli/raw/rawtrans.c +++ b/source4/libcli/raw/rawtrans.c @@ -40,10 +40,10 @@ static bool raw_trans_oob(struct smbcli_request *req, ptr = req->in.hdr + offset; /* be careful with wraparound! */ - if (ptr < req->in.data || - ptr >= req->in.data + req->in.data_size || + if ((uintptr_t)ptr < (uintptr_t)req->in.data || + (uintptr_t)ptr >= (uintptr_t)req->in.data + req->in.data_size || count > req->in.data_size || - ptr + count > req->in.data + req->in.data_size) { + (uintptr_t)ptr + count > (uintptr_t)req->in.data + req->in.data_size) { return true; } return false; diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c index 2471fcaa4d..f52b0ceef2 100644 --- a/source4/libcli/smb2/request.c +++ b/source4/libcli/smb2/request.c @@ -211,10 +211,10 @@ bool smb2_oob(struct smb2_request_buffer *buf, const uint8_t *ptr, size_t size) return false; } /* be careful with wraparound! */ - if (ptr < buf->body || - ptr >= buf->body + buf->body_size || + if ((uintptr_t)ptr < (uintptr_t)buf->body || + (uintptr_t)ptr >= (uintptr_t)buf->body + buf->body_size || size > buf->body_size || - ptr + size > buf->body + buf->body_size) { + (uintptr_t)ptr + size > (uintptr_t)buf->body + buf->body_size) { return true; } return false; @@ -669,7 +669,7 @@ NTSTATUS smb2_push_o16s16_string(struct smb2_request_buffer *buf, } if (*str == 0) { - blob.data = str; + blob.data = discard_const(str); blob.length = 0; return smb2_push_o16s16_blob(buf, ofs, blob); } diff --git a/source4/smb_server/smb/request.c b/source4/smb_server/smb/request.c index 87073517dd..c7fa2d7d8a 100644 --- a/source4/smb_server/smb/request.c +++ b/source4/smb_server/smb/request.c @@ -651,10 +651,10 @@ bool req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t } /* be careful with wraparound! */ - if (ptr < bufinfo->data || - ptr >= bufinfo->data + bufinfo->data_size || + if ((uintptr_t)ptr < (uintptr_t)bufinfo->data || + (uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size || count > bufinfo->data_size || - ptr + count > bufinfo->data + bufinfo->data_size) { + (uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) { return true; } return false; |