From 959516d61bc6ee7cdd12409dde0ec00044208f1b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Mar 2012 17:13:07 -0700 Subject: More strlcat/strlcpy truncate checks. --- source3/auth/auth_script.c | 55 ++++++++++++++++++++++++++++++++------- source3/libads/ads_struct.c | 11 ++++++-- source3/modules/vfs_afsacl.c | 12 ++++++--- source3/modules/vfs_recycle.c | 12 ++++++--- source3/modules/vfs_scannedonly.c | 5 ++-- source3/torture/torture.c | 10 +++++-- source3/utils/net_rpc.c | 12 ++++++--- source3/web/swat.c | 3 ++- 8 files changed, 94 insertions(+), 26 deletions(-) diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 4432ff4aec..dc8794bf16 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -74,32 +74,62 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co return NT_STATUS_NO_MEMORY; } - strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len); - strlcat( secret_str, "\n", secret_str_len); - strlcat( secret_str, user_info->client.account_name, secret_str_len); - strlcat( secret_str, "\n", secret_str_len); + if (strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + if (strlcat( secret_str, user_info->client.account_name, secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } for (i = 0; i < 8; i++) { slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]); } - strlcat( secret_str, hex_str, secret_str_len); - strlcat( secret_str, "\n", secret_str_len); + if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } if (user_info->password.response.lanman.data) { for (i = 0; i < 24; i++) { slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]); } - strlcat( secret_str, hex_str, secret_str_len); + if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + } + if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; } - strlcat( secret_str, "\n", secret_str_len); if (user_info->password.response.nt.data) { for (i = 0; i < 24; i++) { slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]); } - strlcat( secret_str, hex_str, secret_str_len); + if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; + } + } + if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { + /* Truncate. */ + goto cat_out; } - strlcat( secret_str, "\n", secret_str_len); DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n", script, secret_str )); @@ -117,6 +147,11 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co /* Cause the auth system to keep going.... */ return NT_STATUS_NOT_IMPLEMENTED; + + cat_out: + + SAFE_FREE(secret_str); + return NT_STATUS_NO_MEMORY; } /* module initialisation */ diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index b6c8e995ed..e6220fd320 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -52,10 +52,17 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int return NULL; } - strlcpy(ret,field, len); + if (strlcpy(ret,field, len) >= len) { + /* Truncate ! */ + free(r); + return NULL; + } p=strtok_r(r, sep, &saveptr); if (p) { - strlcat(ret, p, len); + if (strlcat(ret, p, len) >= len) { + free(r); + return NULL; + } while ((p=strtok_r(NULL, sep, &saveptr)) != NULL) { int retval; diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c index e965e4c8b1..61a31458cf 100644 --- a/source3/modules/vfs_afsacl.c +++ b/source3/modules/vfs_afsacl.c @@ -316,16 +316,22 @@ static bool unparse_afs_acl(struct afs_acl *acl, char *acl_str) } fstr_sprintf(line, "%d\n", positives); - strlcat(acl_str, line, MAXSIZE); + if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) { + return false; + } fstr_sprintf(line, "%d\n", negatives); - strlcat(acl_str, line, MAXSIZE); + if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) { + return false; + } ace = acl->acelist; while (ace != NULL) { fstr_sprintf(line, "%s\t%d\n", ace->name, ace->rights); - strlcat(acl_str, line, MAXSIZE); + if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) { + return false; + } ace = ace->next; } return true; diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c index c735dccd31..80332523ed 100644 --- a/source3/modules/vfs_recycle.c +++ b/source3/modules/vfs_recycle.c @@ -280,13 +280,17 @@ static bool recycle_create_dir(vfs_handle_struct *handle, const char *dname) *new_dir = '\0'; if (dname[0] == '/') { /* Absolute path. */ - strlcat(new_dir,"/",len+1); + if (strlcat(new_dir,"/",len+1) >= len+1) { + goto done; + } } /* Create directory tree if neccessary */ for(token = strtok_r(tok_str, "/", &saveptr); token; token = strtok_r(NULL, "/", &saveptr)) { - strlcat(new_dir, token, len+1); + if (strlcat(new_dir, token, len+1) >= len+1) { + goto done; + } if (recycle_directory_exist(handle, new_dir)) DEBUG(10, ("recycle: dir %s already exists\n", new_dir)); else { @@ -297,7 +301,9 @@ static bool recycle_create_dir(vfs_handle_struct *handle, const char *dname) goto done; } } - strlcat(new_dir, "/", len+1); + if (strlcat(new_dir, "/", len+1) >= len+1) { + goto done; + } mode = recycle_subdir_mode(handle); } diff --git a/source3/modules/vfs_scannedonly.c b/source3/modules/vfs_scannedonly.c index 1b35388b85..fcd2ed0a1c 100644 --- a/source3/modules/vfs_scannedonly.c +++ b/source3/modules/vfs_scannedonly.c @@ -327,8 +327,9 @@ static void notify_scanner(vfs_handle_struct * handle, const char *scanfile) if (gsendlen + tmplen >= SENDBUFFERSIZE) { flush_sendbuffer(handle); } - strlcat(so->gsendbuffer, tmp, SENDBUFFERSIZE + 1); - strlcat(so->gsendbuffer, "\n", SENDBUFFERSIZE + 1); + /* FIXME ! Truncate checks... JRA. */ + (void)strlcat(so->gsendbuffer, tmp, SENDBUFFERSIZE + 1); + (void)strlcat(so->gsendbuffer, "\n", SENDBUFFERSIZE + 1); } static bool is_scannedonly_file(struct Tscannedonly *so, const char *shortname) diff --git a/source3/torture/torture.c b/source3/torture/torture.c index e2a2744dae..b0c74e2f37 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -7338,8 +7338,14 @@ static bool run_shortname_test(int dummy) goto out; } - strlcpy(fname, "\\shortname\\", sizeof(fname)); - strlcat(fname, "test .txt", sizeof(fname)); + if (strlcpy(fname, "\\shortname\\", sizeof(fname)) >= sizeof(fname)) { + correct = false; + goto out; + } + if (strlcat(fname, "test .txt", sizeof(fname)) >= sizeof(fname)) { + correct = false; + goto out; + } s.val = false; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 4aaf365a88..ad3f448c5e 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -3765,8 +3765,12 @@ static NTSTATUS copy_fn(const char *mnt, struct file_info *f, } /* search below that directory */ - strlcpy(new_mask, dir, sizeof(new_mask)); - strlcat(new_mask, "\\*", sizeof(new_mask)); + if (strlcpy(new_mask, dir, sizeof(new_mask)) >= sizeof(new_mask)) { + return NT_STATUS_NO_MEMORY; + } + if (strlcat(new_mask, "\\*", sizeof(new_mask)) >= sizeof(new_mask)) { + return NT_STATUS_NO_MEMORY; + } old_dir = local_state->cwd; local_state->cwd = dir; @@ -4807,7 +4811,9 @@ static bool get_user_tokens_from_file(FILE *f, token = &((*tokens)[*num_tokens-1]); - strlcpy(token->name, line, sizeof(token->name)); + if (strlcpy(token->name, line, sizeof(token->name)) >= sizeof(token->name)) { + return false; + } token->token.num_sids = 0; token->token.sids = NULL; continue; diff --git a/source3/web/swat.c b/source3/web/swat.c index 34974b400f..0e17b015e9 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -176,7 +176,8 @@ void get_xsrf_token(const char *username, const char *pass, char tmp[3]; snprintf(tmp, sizeof(tmp), "%02x", token[i]); - strlcat(token_str, tmp, sizeof(tmp)); + /* FIXME ! Truncate check. JRA. */ + (void)strlcat(token_str, tmp, sizeof(tmp)); } } -- cgit