The branch, master has been updated
       via  dc7f04aac78579edcd171bfcb9de901444c6c819 (commit)
       via  ea192f08e609fa4c4a48df1b27874b9ae2c1fa40 (commit)
      from  612c5e746bd4d0059eb8bcb8dbb4944db155f071 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dc7f04aac78579edcd171bfcb9de901444c6c819
Author: Günther Deschner <[email protected]>
Date:   Tue Feb 17 10:14:58 2009 +0100

    s3-netapi: fix Coverity #881 and #882.
    
    Guenther

commit ea192f08e609fa4c4a48df1b27874b9ae2c1fa40
Author: Volker Lendecke <[email protected]>
Date:   Sat Feb 14 18:01:20 2009 +0100

    Fix an invalid typecasting
    
    entry->num_of_strings is a uint16_t. Casting it with
    
    (int *)&entry->num_of_strings
    
    is wrong, because it gives add_string_to_array the illusion that the object
    "num" points to is an int, which it is not.
    
    In case we are running on a machine where "int" is 32 or 64 bits long, what
    happens with that cast? "add_string_to_array" interprets the byte field that
    starts where "num_of_strings" starts as an int. Under very particular
    circumstances this might work in a limited number of cases: When the byte 
order
    of an int is such that the lower order bits of the int are stored first, the
    subsequent bytes which do not belong to the uint16_t anymore happen to be 0 
and
    the result of the increment still fits into the first 2 bytes of that int, 
i.e.
    the result is < 65536.
    
    The correct solution to this problem is to use the implicit type conversion
    that happens when an assignment is done.
    
    BTW, this bug is found if you compile with -O3 -Wall, it shows up as a 
warning:
    
    rpc_server/srv_eventlog_lib.c:574: warning: dereferencing type-punned 
pointer
        will break strict-aliasing rules
    
    Thanks,
    
    Volker

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/netapi/serverinfo.c       |   63 +++++++++++++++++++++++++++++----
 source3/rpc_server/srv_eventlog_lib.c |    8 ++++-
 2 files changed, 63 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
index 02396a7..72ceec0 100644
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -98,7 +98,6 @@ static NTSTATUS 
map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
        struct SERVER_INFO_403 i403;
        struct SERVER_INFO_502 i502;
        struct SERVER_INFO_503 i503;
-       struct SERVER_INFO_598 i598;
        struct SERVER_INFO_599 i599;
        struct SERVER_INFO_1005 i1005;
 #if 0
@@ -396,13 +395,63 @@ static NTSTATUS 
map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
                                     &num_info);
                        break;
 
-               case 598:
-                       ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_598, i598,
-                                    (struct SERVER_INFO_598 **)buffer,
-                                    &num_info);
-                       break;
-
                case 599:
+                       i599.sv599_sessopens            = i->info599->sessopen;
+                       i599.sv599_opensearch           = 
i->info599->opensearch;
+                       i599.sv599_sizreqbuf            = 
i->info599->sizereqbufs;
+                       i599.sv599_initworkitems        = 
i->info599->initworkitems;
+                       i599.sv599_maxworkitems         = 
i->info599->maxworkitems;
+                       i599.sv599_rawworkitems         = 
i->info599->rawworkitems;
+                       i599.sv599_irpstacksize         = 
i->info599->irpstacksize;
+                       i599.sv599_maxrawbuflen         = 
i->info599->maxrawbuflen;
+                       i599.sv599_sessusers            = i->info599->sessusers;
+                       i599.sv599_sessconns            = i->info599->sessconns;
+                       i599.sv599_maxpagedmemoryusage  = 
i->info599->maxpagedmemoryusage;
+                       i599.sv599_maxnonpagedmemoryusage = 
i->info599->maxnonpagedmemoryusage;
+                       i599.sv599_enablesoftcompat     = 
i->info599->enablesoftcompat;
+                       i599.sv599_enableforcedlogoff   = 
i->info599->enableforcedlogoff;
+                       i599.sv599_timesource           = 
i->info599->timesource;
+                       i599.sv599_acceptdownlevelapis  = 
i->info599->acceptdownlevelapis;
+                       i599.sv599_lmannounce           = 
i->info599->lmannounce;
+                       i599.sv599_domain               = 
talloc_strdup(mem_ctx, i->info599->domain);
+                       i599.sv599_maxcopyreadlen       = 
i->info599->maxcopyreadlen;
+                       i599.sv599_maxcopywritelen      = 
i->info599->maxcopywritelen;
+                       i599.sv599_minkeepsearch        = 
i->info599->minkeepsearch;
+                       i599.sv599_maxkeepsearch        = 0; /* ?? */
+                       i599.sv599_minkeepcomplsearch   = 
i->info599->minkeepcomplsearch;
+                       i599.sv599_maxkeepcomplsearch   = 
i->info599->maxkeepcomplsearch;
+                       i599.sv599_threadcountadd       = 
i->info599->threadcountadd;
+                       i599.sv599_numblockthreads      = 
i->info599->numlockthreads; /* typo ? */
+                       i599.sv599_scavtimeout          = 
i->info599->scavtimeout;
+                       i599.sv599_minrcvqueue          = 
i->info599->minrcvqueue;
+                       i599.sv599_minfreeworkitems     = 
i->info599->minfreeworkitems;
+                       i599.sv599_xactmemsize          = 
i->info599->xactmemsize;
+                       i599.sv599_threadpriority       = 
i->info599->threadpriority;
+                       i599.sv599_maxmpxct             = i->info599->maxmpxct;
+                       i599.sv599_oplockbreakwait      = 
i->info599->oplockbreakwait;
+                       i599.sv599_oplockbreakresponsewait = 
i->info599->oplockbreakresponsewait;
+                       i599.sv599_enableoplocks        = 
i->info599->enableoplocks;
+                       i599.sv599_enableoplockforceclose = 
i->info599->enableoplockforceclose;
+                       i599.sv599_enablefcbopens       = 
i->info599->enablefcbopens;
+                       i599.sv599_enableraw            = i->info599->enableraw;
+                       i599.sv599_enablesharednetdrives = 
i->info599->enablesharednetdrives;
+                       i599.sv599_minfreeconnections   = 
i->info599->minfreeconnections;
+                       i599.sv599_maxfreeconnections   = 
i->info599->maxfreeconnections;
+                       i599.sv599_initsesstable        = 
i->info599->initsesstable;
+                       i599.sv599_initconntable        = 
i->info599->initconntable;
+                       i599.sv599_initfiletable        = 
i->info599->initfiletable;
+                       i599.sv599_initsearchtable      = 
i->info599->initsearchtable;
+                       i599.sv599_alertschedule        = 
i->info599->alertsched;
+                       i599.sv599_errorthreshold       = 
i->info599->errortreshold;
+                       i599.sv599_networkerrorthreshold = 
i->info599->networkerrortreshold;
+                       i599.sv599_diskspacethreshold   = 
i->info599->diskspacetreshold;
+                       i599.sv599_reserved             = i->info599->reserved;
+                       i599.sv599_maxlinkdelay         = 
i->info599->maxlinkdelay;
+                       i599.sv599_minlinkthroughput    = 
i->info599->minlinkthroughput;
+                       i599.sv599_linkinfovalidtime    = 
i->info599->linkinfovalidtime;
+                       i599.sv599_scavqosinfoupdatetime = 
i->info599->scavqosinfoupdatetime;
+                       i599.sv599_maxworkitemidletime  = 
i->info599->maxworkitemidletime;
+
                        ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_599, i599,
                                     (struct SERVER_INFO_599 **)buffer,
                                     &num_info);
diff --git a/source3/rpc_server/srv_eventlog_lib.c 
b/source3/rpc_server/srv_eventlog_lib.c
index d8c5c3d..edd1cfa 100644
--- a/source3/rpc_server/srv_eventlog_lib.c
+++ b/source3/rpc_server/srv_eventlog_lib.c
@@ -560,6 +560,7 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, 
struct eventlog_Record_tdb
                }
        } else if ( 0 == strncmp( start, "STR", stop - start ) ) {
                size_t tmp_len;
+               int num_of_strings;
                /* skip past initial ":" */
                stop++;
                /* now skip any other leading whitespace */
@@ -570,10 +571,15 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, 
struct eventlog_Record_tdb
                if (tmp_len == (size_t)-1) {
                        return false;
                }
+               num_of_strings = entry->num_of_strings;
                if (!add_string_to_array(mem_ctx, stop, &entry->strings,
-                                        (int *)&entry->num_of_strings)) {
+                                        &num_of_strings)) {
                        return false;
                }
+               if (num_of_strings > 0xffff) {
+                       return false;
+               }
+               entry->num_of_strings = num_of_strings;
                entry->strings_len += tmp_len;
        } else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
                /* skip past initial ":" */


-- 
Samba Shared Repository

Reply via email to