From 9b58da986680a92b350f02cd31ff64f30fecd07c Mon Sep 17 00:00:00 2001 From: Bill Parker Date: Wed, 17 Jul 2013 15:30:35 -0700 Subject: Fix bug 10025 - Lack of Sanity Checking in calls to malloc()/calloc(). In reviewing various files in Samba-4.0.7, I found a number of instances where malloc()/calloc() were called without the checking the return value for a value of NULL, which would indicate failure. (NB. The changes needed to ccan, iniparser, popt and heimdal will be reported upstream, not patched inside Samba). Reviewed-by: Jeremy Allison Reviewed-by: Simo Source --- lib/ntdb/tools/growtdb-bench.c | 16 ++++++++++++++++ lib/ntdb/tools/ntdbtorture.c | 4 ++++ lib/replace/getifaddrs.c | 29 +++++++++++++++++++++++++++++ lib/tdb/test/run-transaction-expand.c | 5 +++++ lib/tdb/tools/tdbtorture.c | 8 ++++++++ nsswitch/nsstest.c | 4 ++++ source4/librpc/rpc/pyrpc_util.c | 3 +++ source4/torture/gentest.c | 8 ++++++++ 8 files changed, 77 insertions(+) diff --git a/lib/ntdb/tools/growtdb-bench.c b/lib/ntdb/tools/growtdb-bench.c index 640f87af5a..aa5a406a54 100644 --- a/lib/ntdb/tools/growtdb-bench.c +++ b/lib/ntdb/tools/growtdb-bench.c @@ -48,12 +48,24 @@ int main(int argc, char *argv[]) idxkey.dsize = strlen("User index"); idxdata.dsize = 51; idxdata.dptr = calloc(idxdata.dsize, 1); + if (idxdata.dptr == NULL) { + fprintf(stderr, "Unable to allocate memory for idxdata.dptr\n"); + return -1; + } /* Create users. */ k.dsize = 48; k.dptr = calloc(k.dsize, 1); + if (k.dptr == NULL) { + fprintf(stderr, "Unable to allocate memory for k.dptr\n"); + return -1; + } d.dsize = 64; d.dptr = calloc(d.dsize, 1); + if (d.dptr == NULL) { + fprintf(stderr, "Unable to allocate memory for d.dptr\n"); + return -1; + } ntdb_transaction_start(ntdb); for (i = 0; i < users; i++) { @@ -79,6 +91,10 @@ int main(int argc, char *argv[]) * a group. */ gk.dsize = 48; gk.dptr = calloc(k.dsize, 1); + if (gk.dptr == NULL) { + fprintf(stderr, "Unable to allocate memory for gk.dptr\n"); + return -1; + } gk.dptr[gk.dsize-1] = 1; d.dsize = 32; diff --git a/lib/ntdb/tools/ntdbtorture.c b/lib/ntdb/tools/ntdbtorture.c index 3bcf3200f2..7ddb5c3acb 100644 --- a/lib/ntdb/tools/ntdbtorture.c +++ b/lib/ntdb/tools/ntdbtorture.c @@ -96,6 +96,10 @@ static char *randbuf(int len) char *buf; int i; buf = (char *)malloc(len+1); + if (buf == NULL) { + perror("randbuf: unable to allocate memory for buffer.\n"); + exit(1); + } for (i=0;i=0; i--) { if (ioctl(fd, SIOCGIFFLAGS, &ifr[i]) == -1) { freeifaddrs(*ifap); + close(fd); return -1; } curif = calloc(1, sizeof(struct ifaddrs)); + if (curif == NULL) { + freeifaddrs(*ifap); + close(fd); + return -1; + } curif->ifa_name = strdup(ifr[i].ifr_name); + if (curif->ifa_name == NULL) { + free(curif); + freeifaddrs(*ifap); + close(fd); + return -1; + } curif->ifa_flags = ifr[i].ifr_flags; curif->ifa_dstaddr = NULL; curif->ifa_data = NULL; @@ -126,11 +138,28 @@ int rep_getifaddrs(struct ifaddrs **ifap) curif->ifa_addr = NULL; if (ioctl(fd, SIOCGIFADDR, &ifr[i]) != -1) { curif->ifa_addr = sockaddr_dup(&ifr[i].ifr_addr); + if (curif->ifa_addr == NULL) { + free(curif->ifa_name); + free(curif); + freeifaddrs(*ifap); + close(fd); + return -1; + } } curif->ifa_netmask = NULL; if (ioctl(fd, SIOCGIFNETMASK, &ifr[i]) != -1) { curif->ifa_netmask = sockaddr_dup(&ifr[i].ifr_addr); + if (curif->ifa_netmask == NULL) { + if (curif->ifa_addr != NULL) { + free(curif->ifa_addr); + } + free(curif->ifa_name); + free(curif); + freeifaddrs(*ifap); + close(fd); + return -1; + } } if (lastif == NULL) { diff --git a/lib/tdb/test/run-transaction-expand.c b/lib/tdb/test/run-transaction-expand.c index 1271d92b33..d62c76a88c 100644 --- a/lib/tdb/test/run-transaction-expand.c +++ b/lib/tdb/test/run-transaction-expand.c @@ -73,6 +73,11 @@ int main(int argc, char *argv[]) data.dsize = 0; data.dptr = calloc(1000, getpagesize()); + if (data.dptr == NULL) { + diag("Unable to allocate memory for data.dptr"); + tdb_close(tdb); + exit(1); + } /* Simulate a slowly growing record. */ for (i = 0; i < 1000; i++) diff --git a/lib/tdb/tools/tdbtorture.c b/lib/tdb/tools/tdbtorture.c index a23d1543e5..5ae08f662a 100644 --- a/lib/tdb/tools/tdbtorture.c +++ b/lib/tdb/tools/tdbtorture.c @@ -342,7 +342,15 @@ int main(int argc, char * const *argv) } pids = (pid_t *)calloc(sizeof(pid_t), num_procs); + if (pids == NULL) { + perror("Unable to allocate memory for pids"); + exit(1); + } done = (int *)calloc(sizeof(int), num_procs); + if (done == NULL) { + perror("Unable to allocate memory for done"); + exit(1); + } if (pipe(pfds) != 0) { perror("Creating pipe"); diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c index 39d03424fa..4b3d0a4301 100644 --- a/nsswitch/nsstest.c +++ b/nsswitch/nsstest.c @@ -371,6 +371,10 @@ static void nss_test_initgroups(char *name, gid_t gid) NSS_STATUS status; groups = (gid_t *)malloc(sizeof(gid_t) * size); + if (groups == NULL) { + printf("Unable to allocate memory for groups\n"); + return; + } groups[0] = gid; status = nss_initgroups(name, gid, &groups, &start, &size); diff --git a/source4/librpc/rpc/pyrpc_util.c b/source4/librpc/rpc/pyrpc_util.c index a000c76907..ab6caac8ff 100644 --- a/source4/librpc/rpc/pyrpc_util.c +++ b/source4/librpc/rpc/pyrpc_util.c @@ -246,6 +246,9 @@ bool PyInterface_AddNdrRpcMethods(PyTypeObject *ifacetype, const struct PyNdrRpc PyObject *ret; struct wrapperbase *wb = (struct wrapperbase *)calloc(sizeof(struct wrapperbase), 1); + if (wb == NULL) { + return false; + } wb->name = discard_const_p(char, mds[i].name); wb->flags = PyWrapperFlag_KEYWORDS; wb->wrapper = (wrapperfunc)py_dcerpc_call_wrapper; diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c index 91b60e2c4e..f3c4c20e53 100644 --- a/source4/torture/gentest.c +++ b/source4/torture/gentest.c @@ -3068,9 +3068,17 @@ static bool start_gentest(struct tevent_context *ev, /* allocate the open_handles array */ open_handles = calloc(options.max_open_handles, sizeof(open_handles[0])); + if (open_handles == NULL) { + printf("Unable to allocate memory for open_handles array.\n"); + exit(1); + } srandom(options.seed); op_parms = calloc(options.numops, sizeof(op_parms[0])); + if (op_parms == NULL) { + printf("Unable to allocate memory for op_parms.\n"); + exit(1); + } /* generate the seeds - after this everything is deterministic */ if (options.use_preset_seeds) { -- cgit