From 11703b298685c9984a6a3c3a64eddb8a1a516b90 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 17 Apr 2008 15:20:39 +0200
Subject: fix the overflow/wrap checks in Samba4 for new gcc optimisation
 behavior

The approach I have used is as set out in
https://www.securecoding.cert.org/confluence/display/seccode/ARR38-C.+Do+not+add+or+subtract+an+integer+to+a+pointer+if+the+resulting+value+does+not+refer+to+an+element+within+the+array
(This used to be commit 92d5fb531db39be655f0cbd2d75b5f675a0a4cfa)
---
 source4/libcli/raw/rawrequest.c | 6 +++---
 source4/libcli/raw/rawtrans.c   | 6 +++---
 source4/libcli/smb2/request.c   | 8 ++++----
 3 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'source4/libcli')

diff --git a/source4/libcli/raw/rawrequest.c b/source4/libcli/raw/rawrequest.c
index a42c710547..ef856c6ea1 100644
--- a/source4/libcli/raw/rawrequest.c
+++ b/source4/libcli/raw/rawrequest.c
@@ -700,10 +700,10 @@ DATA_BLOB smbcli_req_pull_blob(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_
 static bool smbcli_req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t count)
 {
 	/* be careful with wraparound! */
-	if (ptr < bufinfo->data ||
-	    ptr >= bufinfo->data + bufinfo->data_size ||
+	if ((uintptr_t)ptr < (uintptr_t)bufinfo->data ||
+	    (uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size ||
 	    count > bufinfo->data_size ||
-	    ptr + count > bufinfo->data + bufinfo->data_size) {
+	    (uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) {
 		return true;
 	}
 	return false;
diff --git a/source4/libcli/raw/rawtrans.c b/source4/libcli/raw/rawtrans.c
index 29881afd2b..0f15b2151b 100644
--- a/source4/libcli/raw/rawtrans.c
+++ b/source4/libcli/raw/rawtrans.c
@@ -40,10 +40,10 @@ static bool raw_trans_oob(struct smbcli_request *req,
 	ptr = req->in.hdr + offset;
 	
 	/* be careful with wraparound! */
-	if (ptr < req->in.data ||
-	    ptr >= req->in.data + req->in.data_size ||
+	if ((uintptr_t)ptr < (uintptr_t)req->in.data ||
+	    (uintptr_t)ptr >= (uintptr_t)req->in.data + req->in.data_size ||
 	    count > req->in.data_size ||
-	    ptr + count > req->in.data + req->in.data_size) {
+	    (uintptr_t)ptr + count > (uintptr_t)req->in.data + req->in.data_size) {
 		return true;
 	}
 	return false;	
diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c
index 2471fcaa4d..f52b0ceef2 100644
--- a/source4/libcli/smb2/request.c
+++ b/source4/libcli/smb2/request.c
@@ -211,10 +211,10 @@ bool smb2_oob(struct smb2_request_buffer *buf, const uint8_t *ptr, size_t size)
 		return false;
 	}
 	/* be careful with wraparound! */
-	if (ptr < buf->body ||
-	    ptr >= buf->body + buf->body_size ||
+	if ((uintptr_t)ptr < (uintptr_t)buf->body ||
+	    (uintptr_t)ptr >= (uintptr_t)buf->body + buf->body_size ||
 	    size > buf->body_size ||
-	    ptr + size > buf->body + buf->body_size) {
+	    (uintptr_t)ptr + size > (uintptr_t)buf->body + buf->body_size) {
 		return true;
 	}
 	return false;
@@ -669,7 +669,7 @@ NTSTATUS smb2_push_o16s16_string(struct smb2_request_buffer *buf,
 	}
 
 	if (*str == 0) {
-		blob.data = str;
+		blob.data = discard_const(str);
 		blob.length = 0;
 		return smb2_push_o16s16_blob(buf, ofs, blob);
 	}
-- 
cgit