The branch, master has been updated
via dc7f04aac78579edcd171bfcb9de901444c6c819 (commit)
via ea192f08e609fa4c4a48df1b27874b9ae2c1fa40 (commit)
from 612c5e746bd4d0059eb8bcb8dbb4944db155f071 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dc7f04aac78579edcd171bfcb9de901444c6c819
Author: Günther Deschner <[email protected]>
Date: Tue Feb 17 10:14:58 2009 +0100
s3-netapi: fix Coverity #881 and #882.
Guenther
commit ea192f08e609fa4c4a48df1b27874b9ae2c1fa40
Author: Volker Lendecke <[email protected]>
Date: Sat Feb 14 18:01:20 2009 +0100
Fix an invalid typecasting
entry->num_of_strings is a uint16_t. Casting it with
(int *)&entry->num_of_strings
is wrong, because it gives add_string_to_array the illusion that the object
"num" points to is an int, which it is not.
In case we are running on a machine where "int" is 32 or 64 bits long, what
happens with that cast? "add_string_to_array" interprets the byte field that
starts where "num_of_strings" starts as an int. Under very particular
circumstances this might work in a limited number of cases: When the byte
order
of an int is such that the lower order bits of the int are stored first, the
subsequent bytes which do not belong to the uint16_t anymore happen to be 0
and
the result of the increment still fits into the first 2 bytes of that int,
i.e.
the result is < 65536.
The correct solution to this problem is to use the implicit type conversion
that happens when an assignment is done.
BTW, this bug is found if you compile with -O3 -Wall, it shows up as a
warning:
rpc_server/srv_eventlog_lib.c:574: warning: dereferencing type-punned
pointer
will break strict-aliasing rules
Thanks,
Volker
-----------------------------------------------------------------------
Summary of changes:
source3/lib/netapi/serverinfo.c | 63 +++++++++++++++++++++++++++++----
source3/rpc_server/srv_eventlog_lib.c | 8 ++++-
2 files changed, 63 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
index 02396a7..72ceec0 100644
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -98,7 +98,6 @@ static NTSTATUS
map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
struct SERVER_INFO_403 i403;
struct SERVER_INFO_502 i502;
struct SERVER_INFO_503 i503;
- struct SERVER_INFO_598 i598;
struct SERVER_INFO_599 i599;
struct SERVER_INFO_1005 i1005;
#if 0
@@ -396,13 +395,63 @@ static NTSTATUS
map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
&num_info);
break;
- case 598:
- ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_598, i598,
- (struct SERVER_INFO_598 **)buffer,
- &num_info);
- break;
-
case 599:
+ i599.sv599_sessopens = i->info599->sessopen;
+ i599.sv599_opensearch =
i->info599->opensearch;
+ i599.sv599_sizreqbuf =
i->info599->sizereqbufs;
+ i599.sv599_initworkitems =
i->info599->initworkitems;
+ i599.sv599_maxworkitems =
i->info599->maxworkitems;
+ i599.sv599_rawworkitems =
i->info599->rawworkitems;
+ i599.sv599_irpstacksize =
i->info599->irpstacksize;
+ i599.sv599_maxrawbuflen =
i->info599->maxrawbuflen;
+ i599.sv599_sessusers = i->info599->sessusers;
+ i599.sv599_sessconns = i->info599->sessconns;
+ i599.sv599_maxpagedmemoryusage =
i->info599->maxpagedmemoryusage;
+ i599.sv599_maxnonpagedmemoryusage =
i->info599->maxnonpagedmemoryusage;
+ i599.sv599_enablesoftcompat =
i->info599->enablesoftcompat;
+ i599.sv599_enableforcedlogoff =
i->info599->enableforcedlogoff;
+ i599.sv599_timesource =
i->info599->timesource;
+ i599.sv599_acceptdownlevelapis =
i->info599->acceptdownlevelapis;
+ i599.sv599_lmannounce =
i->info599->lmannounce;
+ i599.sv599_domain =
talloc_strdup(mem_ctx, i->info599->domain);
+ i599.sv599_maxcopyreadlen =
i->info599->maxcopyreadlen;
+ i599.sv599_maxcopywritelen =
i->info599->maxcopywritelen;
+ i599.sv599_minkeepsearch =
i->info599->minkeepsearch;
+ i599.sv599_maxkeepsearch = 0; /* ?? */
+ i599.sv599_minkeepcomplsearch =
i->info599->minkeepcomplsearch;
+ i599.sv599_maxkeepcomplsearch =
i->info599->maxkeepcomplsearch;
+ i599.sv599_threadcountadd =
i->info599->threadcountadd;
+ i599.sv599_numblockthreads =
i->info599->numlockthreads; /* typo ? */
+ i599.sv599_scavtimeout =
i->info599->scavtimeout;
+ i599.sv599_minrcvqueue =
i->info599->minrcvqueue;
+ i599.sv599_minfreeworkitems =
i->info599->minfreeworkitems;
+ i599.sv599_xactmemsize =
i->info599->xactmemsize;
+ i599.sv599_threadpriority =
i->info599->threadpriority;
+ i599.sv599_maxmpxct = i->info599->maxmpxct;
+ i599.sv599_oplockbreakwait =
i->info599->oplockbreakwait;
+ i599.sv599_oplockbreakresponsewait =
i->info599->oplockbreakresponsewait;
+ i599.sv599_enableoplocks =
i->info599->enableoplocks;
+ i599.sv599_enableoplockforceclose =
i->info599->enableoplockforceclose;
+ i599.sv599_enablefcbopens =
i->info599->enablefcbopens;
+ i599.sv599_enableraw = i->info599->enableraw;
+ i599.sv599_enablesharednetdrives =
i->info599->enablesharednetdrives;
+ i599.sv599_minfreeconnections =
i->info599->minfreeconnections;
+ i599.sv599_maxfreeconnections =
i->info599->maxfreeconnections;
+ i599.sv599_initsesstable =
i->info599->initsesstable;
+ i599.sv599_initconntable =
i->info599->initconntable;
+ i599.sv599_initfiletable =
i->info599->initfiletable;
+ i599.sv599_initsearchtable =
i->info599->initsearchtable;
+ i599.sv599_alertschedule =
i->info599->alertsched;
+ i599.sv599_errorthreshold =
i->info599->errortreshold;
+ i599.sv599_networkerrorthreshold =
i->info599->networkerrortreshold;
+ i599.sv599_diskspacethreshold =
i->info599->diskspacetreshold;
+ i599.sv599_reserved = i->info599->reserved;
+ i599.sv599_maxlinkdelay =
i->info599->maxlinkdelay;
+ i599.sv599_minlinkthroughput =
i->info599->minlinkthroughput;
+ i599.sv599_linkinfovalidtime =
i->info599->linkinfovalidtime;
+ i599.sv599_scavqosinfoupdatetime =
i->info599->scavqosinfoupdatetime;
+ i599.sv599_maxworkitemidletime =
i->info599->maxworkitemidletime;
+
ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_599, i599,
(struct SERVER_INFO_599 **)buffer,
&num_info);
diff --git a/source3/rpc_server/srv_eventlog_lib.c
b/source3/rpc_server/srv_eventlog_lib.c
index d8c5c3d..edd1cfa 100644
--- a/source3/rpc_server/srv_eventlog_lib.c
+++ b/source3/rpc_server/srv_eventlog_lib.c
@@ -560,6 +560,7 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line,
struct eventlog_Record_tdb
}
} else if ( 0 == strncmp( start, "STR", stop - start ) ) {
size_t tmp_len;
+ int num_of_strings;
/* skip past initial ":" */
stop++;
/* now skip any other leading whitespace */
@@ -570,10 +571,15 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line,
struct eventlog_Record_tdb
if (tmp_len == (size_t)-1) {
return false;
}
+ num_of_strings = entry->num_of_strings;
if (!add_string_to_array(mem_ctx, stop, &entry->strings,
- (int *)&entry->num_of_strings)) {
+ &num_of_strings)) {
return false;
}
+ if (num_of_strings > 0xffff) {
+ return false;
+ }
+ entry->num_of_strings = num_of_strings;
entry->strings_len += tmp_len;
} else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
/* skip past initial ":" */
--
Samba Shared Repository