From 008fd973097303ac984cd7c004e3dea67d54813d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 28 Sep 1998 23:55:09 +0000
Subject: Fixed problems found in lint pass over the old code by
 <cpeterso@microsoft.com>. These were the problems that still existed in the
 2.0 branch. Jeremy. (This used to be commit
 3fd28812f75f2311a114ff905143634e3bbb1fac)

---
 source3/client/clientutil.c     | 21 +++++++++++++---
 source3/lib/kanji.c             |  2 ++
 source3/lib/util.c              | 11 ++++++---
 source3/smbd/ipc.c              | 54 +++++++++++++++++++++++++++++++++--------
 source3/smbd/trans2.c           |  4 +++
 source3/utils/make_printerdef.c | 28 ++++++++++++++++++---
 6 files changed, 100 insertions(+), 20 deletions(-)

(limited to 'source3')

diff --git a/source3/client/clientutil.c b/source3/client/clientutil.c
index 2afbde85b5..7f5943cb01 100644
--- a/source3/client/clientutil.c
+++ b/source3/client/clientutil.c
@@ -105,6 +105,11 @@ BOOL cli_call_api(char *pipe_name, int pipe_name_len,
   if (!inbuf) inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
   if (!outbuf) outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
 
+  if(!inbuf || !outbuf) {
+    DEBUG(0,("cli_call_api: malloc fail.\n"));
+    return False;
+  }
+
   if (pipe_name_len == 0) pipe_name_len = strlen(pipe_name);
 
   cli_send_trans_request(outbuf,SMBtrans,pipe_name, pipe_name_len, 0,0,
@@ -152,6 +157,11 @@ BOOL cli_receive_trans_response(char *inbuf,int trans,
   *data = Realloc(*data,total_data);
   *param = Realloc(*param,total_param);
 
+  if((total_data && !data) || (total_param && !param)) {
+    DEBUG(0,("cli_receive_trans_response: Realloc fail !\n"));
+    return(False);
+  }
+
   while (1)
     {
       this_data = SVAL(inbuf,smb_drcnt);
@@ -458,10 +468,15 @@ BOOL cli_send_login(char *inbuf,char *outbuf,BOOL start_session,BOOL use_setup,
   bzero(&opt, sizeof(opt));
 
   if (was_null)
-    {
-      inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
-      outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+  {
+    inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+    outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+
+    if(!inbuf || !outbuf) {
+      DEBUG(0,("cli_send_login: malloc fail !\n"));
+      return False;
     }
+  }
 
   if (strstr(service,"IPC$")) connect_as_ipc = True;
 
diff --git a/source3/lib/kanji.c b/source3/lib/kanji.c
index 4ca5984d80..04eecb5437 100644
--- a/source3/lib/kanji.c
+++ b/source3/lib/kanji.c
@@ -1173,6 +1173,7 @@ void initialize_multibyte_vectors( int client_codepage)
     multibyte_strtok = (char *(*)(char *, char *)) generic_multibyte_strtok;
     _skip_multibyte_char = skip_generic_multibyte_char;
     is_multibyte_char_1 = hangul_is_multibyte_char_1;
+    break;
   case BIG5_CODEPAGE:
     multibyte_strchr = (char *(*)(char *, int )) generic_multibyte_strchr;
     multibyte_strrchr = (char *(*)(char *, int )) generic_multibyte_strrchr;
@@ -1180,6 +1181,7 @@ void initialize_multibyte_vectors( int client_codepage)
     multibyte_strtok = (char *(*)(char *, char *)) generic_multibyte_strtok;
     _skip_multibyte_char = skip_generic_multibyte_char;
     is_multibyte_char_1 = big5_is_multibyte_char_1;
+    break;
   case SIMPLIFIED_CHINESE_CODEPAGE:
     multibyte_strchr = (char *(*)(char *, int )) generic_multibyte_strchr;
     multibyte_strrchr = (char *(*)(char *, int )) generic_multibyte_strrchr;
diff --git a/source3/lib/util.c b/source3/lib/util.c
index e82abf8c7c..8561c4f3f4 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -2454,10 +2454,13 @@ BOOL string_init(char **dest,char *src)
 
   if (l == 0)
     {
-      if (!null_string)
-	null_string = (char *)malloc(1);
-
-      *null_string = 0;
+      if (!null_string) {
+        if((null_string = (char *)malloc(1)) == NULL) {
+          DEBUG(0,("string_init: malloc fail for null_string.\n"));
+          return False;
+        }
+        *null_string = 0;
+      }
       *dest = null_string;
     }
   else
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 22fd318f63..ec126c89ff 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -642,7 +642,13 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel,
       return;
     }
 
-    p=(char *)malloc(8192*sizeof(char));
+    if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+      DEBUG(0,("fill_printq_info: malloc fail !\n"));
+      desc->errcode=NERR_notsupported;
+      fclose(f);
+      return;
+    }
+
     bzero(p, 8192*sizeof(char));
     q=p;
 
@@ -741,7 +747,12 @@ static int get_printerdrivernumber(int snum)
     return(0);
   }
 
-  p=(char *)malloc(8192*sizeof(char));
+  if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+    DEBUG(3,("get_printerdrivernumber: malloc fail !\n"));
+    fclose(f);
+    return 0;
+  }
+
   q=p; /* need it to free memory because p change ! */
 
   /* lookup the long printer driver name in the file description */
@@ -882,11 +893,20 @@ static BOOL api_DosPrintQEnum(connection_struct *conn, uint16 vuid, char* param,
     if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))
       queuecnt++;
   if (uLevel > 0) {
-    queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*));
+    if((queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*))) == NULL) {
+      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+      return False;
+    }
     memset(queue,0,queuecnt*sizeof(print_queue_struct*));
-    status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct));
+    if((status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct))) == NULL) {
+      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+      return False;
+    }
     memset(status,0,queuecnt*sizeof(print_status_struct));
-    subcntarr = (int*)malloc(queuecnt*sizeof(int));
+    if((subcntarr = (int*)malloc(queuecnt*sizeof(int))) == NULL) {
+      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+      return False;
+    }
     subcnt = 0;
     n = 0;
     for (i = 0; i < services; i++)
@@ -3525,13 +3545,18 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data
   for (i=0;api_commands[i].name;i++)
     if (api_commands[i].id == api_command && api_commands[i].fn)
       {
-	DEBUG(3,("Doing %s\n",api_commands[i].name));
-	break;
+        DEBUG(3,("Doing %s\n",api_commands[i].name));
+        break;
       }
 
   rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024);
   rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024);
 
+  if(!rdata || !rparam) {
+    DEBUG(0,("api_reply: malloc fail !\n"));
+    return -1;
+  }
+
   reply = api_commands[i].fn(conn,vuid,params,data,mdrcnt,mprcnt,
 			     &rdata,&rparam,&rdata_len,&rparam_len);
 
@@ -3629,18 +3654,27 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
 	}
   
 	if (tdscnt)  {
-		data = (char *)malloc(tdscnt);
+		if((data = (char *)malloc(tdscnt)) == NULL) {
+          DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
+		  return(ERROR(ERRDOS,ERRnomem));
+        } 
 		memcpy(data,smb_base(inbuf)+dsoff,dscnt);
 	}
 
 	if (tpscnt) {
-		params = (char *)malloc(tpscnt);
+		if((params = (char *)malloc(tpscnt)) == NULL) {
+          DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
+		  return(ERROR(ERRDOS,ERRnomem));
+        } 
 		memcpy(params,smb_base(inbuf)+psoff,pscnt);
 	}
 
 	if (suwcnt) {
 		int i;
-		setup = (uint16 *)malloc(suwcnt*sizeof(setup[0]));
+		if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+          DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", suwcnt * sizeof(uint16)));
+		  return(ERROR(ERRDOS,ERRnomem));
+        } 
 		for (i=0;i<suwcnt;i++)
 			setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD);
 	}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 70f834af8a..6fd0272a0a 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1895,6 +1895,10 @@ int reply_trans2(connection_struct *conn,
   
 	if ((total_params && !params)  || (total_data && !data)) {
 		DEBUG(2,("Out of memory in reply_trans2\n"));
+        if(params)
+          free(params);
+        if(data)
+          free(data); 
 		return(ERROR(ERRDOS,ERRnomem));
 	}
 
diff --git a/source3/utils/make_printerdef.c b/source3/utils/make_printerdef.c
index aad5bc56f4..c64ce64bbf 100644
--- a/source3/utils/make_printerdef.c
+++ b/source3/utils/make_printerdef.c
@@ -84,6 +84,12 @@ static char *scan(char *chaine,char **entry)
  
   *entry=(char *)malloc(sizeof(pstring));
   value=(char *)malloc(sizeof(pstring));
+
+  if(*entry == NULL || value == NULL) {
+    fprintf(stderr,"scan: malloc fail !\n");
+    exit(1);
+  }
+
   pstrcpy(*entry,chaine);
   temp=chaine;
   while( temp[i]!='=' && temp[i]!='\0') {
@@ -134,6 +140,11 @@ static void lookup_strings(FILE *fichier)
   temp=(char *)malloc(sizeof(pstring));
   temp2=(char *)malloc(sizeof(pstring));
   
+  if(temp == NULL || temp2 == NULL) {
+    fprintf(stderr,"lookup_strings: malloc fail !\n");
+    exit(1);
+  }
+
   *sbuffer[0]='\0';
   
   pstrcpy(temp2,"[Strings]");
@@ -184,6 +195,11 @@ static void lookup_entry(FILE *fichier,char *chaine)
   temp=(char *)malloc(sizeof(pstring));
   temp2=(char *)malloc(sizeof(pstring));
   
+  if(temp == NULL || temp2 == NULL) {
+    fprintf(stderr,"lookup_entry: malloc fail !\n");
+    exit(1);
+  }
+
   *buffer[0]='\0';
   
   pstrcpy(temp2,"[");
@@ -236,7 +252,7 @@ static char *find_desc(FILE *fichier,char *text)
   long_desc=(char *)malloc(sizeof(pstring));
   short_desc=(char *)malloc(sizeof(pstring));
   if (!chaine || !long_desc || !short_desc) {
-    fprintf(stderr,"Unable to malloc memory\n");
+    fprintf(stderr,"find_desc: Unable to malloc memory\n");
     exit(1);
   }
 
@@ -363,7 +379,10 @@ static void scan_short_desc(FILE *fichier, char *short_desc)
   helpfile=0;
   languagemonitor=0;
   datatype="RAW";
-  temp=(char *)malloc(sizeof(pstring));
+  if((temp=(char *)malloc(sizeof(pstring))) == NULL) {
+    fprintf(stderr, "scan_short_desc: malloc fail !\n");
+    exit(1);
+  }
   
   driverfile=short_desc;
   datafile=short_desc;
@@ -472,7 +491,10 @@ int main(int argc, char *argv[])
   lookup_entry(inf_file,"DestinationDirs");
   build_subdir();
 
-  files_to_copy=(char *)malloc(2048*sizeof(char));
+  if((files_to_copy=(char *)malloc(2048*sizeof(char))) == NULL) {
+    fprintf(stderr, "%s: malloc fail.\n", argv[0] );
+    exit(1);
+  }
   *files_to_copy='\0';
   scan_short_desc(inf_file,short_desc);
   fprintf(stdout,"%s:%s:%s:",
-- 
cgit