The branch, v3-6-test has been updated via c0a7dbf Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder <andreas.moro...@gmx.net>". via bb6d76f More paranoia to ensure SD's can't be set on read-only shares. from 0ef98b3 s3: Fix messsssages
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit c0a7dbfc3466c57ff648bf3b22056755afac6746 Author: Jeremy Allison <j...@samba.org> Date: Thu Sep 9 15:29:03 2010 -0700 Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder <andreas.moro...@gmx.net>". Jeremy. (cherry picked from commit 718fd39f10310d10ebc2276021d97d48f1163a88) commit bb6d76f708db53f9bbf52e2e28d8bfc4f9f108a7 Author: Jeremy Allison <j...@samba.org> Date: Thu Sep 9 15:28:43 2010 -0700 More paranoia to ensure SD's can't be set on read-only shares. Jeremy. (cherry picked from commit e6b85c2a7b3cfa0dd3c9859c88e5462c616d5a2a) ----------------------------------------------------------------------- Summary of changes: source3/lib/util_str.c | 3 +++ source3/lib/util_unistr.c | 10 ++++++++++ source3/libads/sasl.c | 16 +++++++++++++--- source3/libnet/libnet_samsync_ldif.c | 3 +++ source3/libsmb/cliconnect.c | 5 +++++ source3/smbd/nttrans.c | 4 ++++ 6 files changed, 38 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index f93832e..449b5d1 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -2067,6 +2067,9 @@ void string_append(char **left, const char *right) if (*left == NULL) { *left = (char *)SMB_MALLOC(new_len); + if (*left == NULL) { + return; + } *left[0] = '\0'; } else { new_len += strlen(*left); diff --git a/source3/lib/util_unistr.c b/source3/lib/util_unistr.c index f53ef94..4cda38d 100644 --- a/source3/lib/util_unistr.c +++ b/source3/lib/util_unistr.c @@ -109,6 +109,11 @@ void load_case_tables(void) if (!upcase_table) { DEBUG(1,("creating lame upcase table\n")); upcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000); + if (!upcase_table) { + smb_panic("lame upcase table malloc fail"); + /* notreached. */ + return; + } for (i=0;i<0x10000;i++) { smb_ucs2_t v; SSVAL(&v, 0, i); @@ -124,6 +129,11 @@ void load_case_tables(void) if (!lowcase_table) { DEBUG(1,("creating lame lowcase table\n")); lowcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000); + if (!lowcase_table) { + smb_panic("lame lowcase table malloc fail"); + /* notreached. */ + return; + } for (i=0;i<0x10000;i++) { smb_ucs2_t v; SSVAL(&v, 0, i); diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 7ad4c9a..051fc96 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -987,6 +987,11 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv output_token.length = 4; output_token.value = SMB_MALLOC(output_token.length); + if (!output_token.value) { + output_token.length = 0; + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto failed; + } p = (uint8 *)output_token.value; RSIVAL(p,0,max_msg_size); @@ -1002,14 +1007,19 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv */ gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT, - &output_token, &conf_state, - &input_token); + &output_token, /* used as *input* here. */ + &conf_state, + &input_token); /* Used as *output* here. */ if (gss_rc) { status = ADS_ERROR_GSS(gss_rc, minor_status); + output_token.length = 0; + SAFE_FREE(output_token.value); goto failed; } - free(output_token.value); + /* We've finished with output_token. */ + SAFE_FREE(output_token.value); + output_token.length = 0; cred.bv_val = (char *)input_token.value; cred.bv_len = input_token.length; diff --git a/source3/libnet/libnet_samsync_ldif.c b/source3/libnet/libnet_samsync_ldif.c index f18ba5b..96bad4d 100644 --- a/source3/libnet/libnet_samsync_ldif.c +++ b/source3/libnet/libnet_samsync_ldif.c @@ -83,6 +83,9 @@ static NTSTATUS populate_ldap_for_ldif(const char *sid, if (suffix_attr == NULL) { len = strlen(suffix); suffix_attr = (char*)SMB_MALLOC(len+1); + if (!suffix_attr) { + return NT_STATUS_NO_MEMORY; + } memcpy(suffix_attr, suffix, len); suffix_attr[len] = '\0'; } diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9d84585..23f7b35 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2134,6 +2134,11 @@ static void cli_negprot_done(struct tevent_req *subreq) SAFE_FREE(cli->inbuf); cli->outbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); cli->inbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); + if (!cli->outbuf || !cli->inbuf) { + tevent_req_nterror(req, + NT_STATUS_NO_MEMORY); + return; + } cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + LARGE_WRITEX_HDR_SIZE; } diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 09aafda..ac5cc2f 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -835,6 +835,10 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len, struct security_descriptor *psd = NULL; NTSTATUS status; + if (!CAN_WRITE(fsp->conn)) { + return NT_STATUS_ACCESS_DENIED; + } + if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) { return NT_STATUS_OK; } -- Samba Shared Repository