From 9b58da986680a92b350f02cd31ff64f30fecd07c Mon Sep 17 00:00:00 2001
From: Bill Parker <wp02855@gmail.com>
Date: Wed, 17 Jul 2013 15:30:35 -0700
Subject: Fix bug 10025 - Lack of Sanity Checking in calls to
 malloc()/calloc().

In reviewing various files in Samba-4.0.7, I found a number
of instances where malloc()/calloc() were called without the
checking the return value for a value of NULL, which would
indicate failure.

(NB. The changes needed to ccan, iniparser, popt and heimdal
will be reported upstream, not patched inside Samba).

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Source <idra@samba.org>
---
 lib/ntdb/tools/growtdb-bench.c        | 16 ++++++++++++++++
 lib/ntdb/tools/ntdbtorture.c          |  4 ++++
 lib/replace/getifaddrs.c              | 29 +++++++++++++++++++++++++++++
 lib/tdb/test/run-transaction-expand.c |  5 +++++
 lib/tdb/tools/tdbtorture.c            |  8 ++++++++
 5 files changed, 62 insertions(+)

(limited to 'lib')

diff --git a/lib/ntdb/tools/growtdb-bench.c b/lib/ntdb/tools/growtdb-bench.c
index 640f87af5a..aa5a406a54 100644
--- a/lib/ntdb/tools/growtdb-bench.c
+++ b/lib/ntdb/tools/growtdb-bench.c
@@ -48,12 +48,24 @@ int main(int argc, char *argv[])
 	idxkey.dsize = strlen("User index");
 	idxdata.dsize = 51;
 	idxdata.dptr = calloc(idxdata.dsize, 1);
+	if (idxdata.dptr == NULL) {
+		fprintf(stderr, "Unable to allocate memory for idxdata.dptr\n");
+		return -1;
+	}
 
 	/* Create users. */
 	k.dsize = 48;
 	k.dptr = calloc(k.dsize, 1);
+	if (k.dptr == NULL) {
+		fprintf(stderr, "Unable to allocate memory for k.dptr\n");
+		return -1;
+	}
 	d.dsize = 64;
 	d.dptr = calloc(d.dsize, 1);
+	if (d.dptr == NULL) {
+		fprintf(stderr, "Unable to allocate memory for d.dptr\n");
+		return -1;
+	}
 
 	ntdb_transaction_start(ntdb);
 	for (i = 0; i < users; i++) {
@@ -79,6 +91,10 @@ int main(int argc, char *argv[])
 	 * a group. */
 	gk.dsize = 48;
 	gk.dptr = calloc(k.dsize, 1);
+	if (gk.dptr == NULL) {
+		fprintf(stderr, "Unable to allocate memory for gk.dptr\n");
+		return -1;
+	}
 	gk.dptr[gk.dsize-1] = 1;
 
 	d.dsize = 32;
diff --git a/lib/ntdb/tools/ntdbtorture.c b/lib/ntdb/tools/ntdbtorture.c
index 3bcf3200f2..7ddb5c3acb 100644
--- a/lib/ntdb/tools/ntdbtorture.c
+++ b/lib/ntdb/tools/ntdbtorture.c
@@ -96,6 +96,10 @@ static char *randbuf(int len)
 	char *buf;
 	int i;
 	buf = (char *)malloc(len+1);
+	if (buf == NULL) {
+		perror("randbuf: unable to allocate memory for buffer.\n");
+		exit(1);
+	}
 
 	for (i=0;i<len;i++) {
 		buf[i] = 'a' + (rand() % 26);
diff --git a/lib/replace/getifaddrs.c b/lib/replace/getifaddrs.c
index 8da022f270..f07d7005e4 100644
--- a/lib/replace/getifaddrs.c
+++ b/lib/replace/getifaddrs.c
@@ -113,11 +113,23 @@ int rep_getifaddrs(struct ifaddrs **ifap)
 	for (i=n-1; i>=0; i--) {
 		if (ioctl(fd, SIOCGIFFLAGS, &ifr[i]) == -1) {
 			freeifaddrs(*ifap);
+			close(fd);
 			return -1;
 		}
 
 		curif = calloc(1, sizeof(struct ifaddrs));
+		if (curif == NULL) {
+			freeifaddrs(*ifap);
+			close(fd);
+			return -1;
+		}
 		curif->ifa_name = strdup(ifr[i].ifr_name);
+		if (curif->ifa_name == NULL) {
+			free(curif);
+			freeifaddrs(*ifap);
+			close(fd);
+			return -1;
+		}
 		curif->ifa_flags = ifr[i].ifr_flags;
 		curif->ifa_dstaddr = NULL;
 		curif->ifa_data = NULL;
@@ -126,11 +138,28 @@ int rep_getifaddrs(struct ifaddrs **ifap)
 		curif->ifa_addr = NULL;
 		if (ioctl(fd, SIOCGIFADDR, &ifr[i]) != -1) {
 			curif->ifa_addr = sockaddr_dup(&ifr[i].ifr_addr);
+			if (curif->ifa_addr == NULL) {
+				free(curif->ifa_name);
+				free(curif);
+				freeifaddrs(*ifap);
+				close(fd);
+				return -1;
+			}
 		}
 
 		curif->ifa_netmask = NULL;
 		if (ioctl(fd, SIOCGIFNETMASK, &ifr[i]) != -1) {
 			curif->ifa_netmask = sockaddr_dup(&ifr[i].ifr_addr);
+			if (curif->ifa_netmask == NULL) {
+				if (curif->ifa_addr != NULL) {
+					free(curif->ifa_addr);
+				}
+				free(curif->ifa_name);
+				free(curif);
+				freeifaddrs(*ifap);
+				close(fd);
+				return -1;
+			}
 		}
 
 		if (lastif == NULL) {
diff --git a/lib/tdb/test/run-transaction-expand.c b/lib/tdb/test/run-transaction-expand.c
index 1271d92b33..d62c76a88c 100644
--- a/lib/tdb/test/run-transaction-expand.c
+++ b/lib/tdb/test/run-transaction-expand.c
@@ -73,6 +73,11 @@ int main(int argc, char *argv[])
 
 	data.dsize = 0;
 	data.dptr = calloc(1000, getpagesize());
+	if (data.dptr == NULL) {
+		diag("Unable to allocate memory for data.dptr");
+		tdb_close(tdb);
+		exit(1);
+	}
 
 	/* Simulate a slowly growing record. */
 	for (i = 0; i < 1000; i++)
diff --git a/lib/tdb/tools/tdbtorture.c b/lib/tdb/tools/tdbtorture.c
index a23d1543e5..5ae08f662a 100644
--- a/lib/tdb/tools/tdbtorture.c
+++ b/lib/tdb/tools/tdbtorture.c
@@ -342,7 +342,15 @@ int main(int argc, char * const *argv)
 	}
 
 	pids = (pid_t *)calloc(sizeof(pid_t), num_procs);
+	if (pids == NULL) {
+		perror("Unable to allocate memory for pids");
+		exit(1);
+	}
 	done = (int *)calloc(sizeof(int), num_procs);
+	if (done == NULL) {
+		perror("Unable to allocate memory for done");
+		exit(1);
+	}
 
 	if (pipe(pfds) != 0) {
 		perror("Creating pipe");
-- 
cgit