The branch, v3-6-test has been updated
via c0a7dbf Fox missing SMB_MALLOC return checks noticed by "Andreas
Moroder <andreas.moro...@gmx.net>".
via bb6d76f More paranoia to ensure SD's can't be set on read-only
shares.
from 0ef98b3 s3: Fix messsssages
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit c0a7dbfc3466c57ff648bf3b22056755afac6746
Author: Jeremy Allison <j...@samba.org>
Date: Thu Sep 9 15:29:03 2010 -0700
Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder
<andreas.moro...@gmx.net>".
Jeremy.
(cherry picked from commit 718fd39f10310d10ebc2276021d97d48f1163a88)
commit bb6d76f708db53f9bbf52e2e28d8bfc4f9f108a7
Author: Jeremy Allison <j...@samba.org>
Date: Thu Sep 9 15:28:43 2010 -0700
More paranoia to ensure SD's can't be set on read-only shares.
Jeremy.
(cherry picked from commit e6b85c2a7b3cfa0dd3c9859c88e5462c616d5a2a)
-----------------------------------------------------------------------
Summary of changes:
source3/lib/util_str.c | 3 +++
source3/lib/util_unistr.c | 10 ++++++++++
source3/libads/sasl.c | 16 +++++++++++++---
source3/libnet/libnet_samsync_ldif.c | 3 +++
source3/libsmb/cliconnect.c | 5 +++++
source3/smbd/nttrans.c | 4 ++++
6 files changed, 38 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index f93832e..449b5d1 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -2067,6 +2067,9 @@ void string_append(char **left, const char *right)
if (*left == NULL) {
*left = (char *)SMB_MALLOC(new_len);
+ if (*left == NULL) {
+ return;
+ }
*left[0] = '\0';
} else {
new_len += strlen(*left);
diff --git a/source3/lib/util_unistr.c b/source3/lib/util_unistr.c
index f53ef94..4cda38d 100644
--- a/source3/lib/util_unistr.c
+++ b/source3/lib/util_unistr.c
@@ -109,6 +109,11 @@ void load_case_tables(void)
if (!upcase_table) {
DEBUG(1,("creating lame upcase table\n"));
upcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
+ if (!upcase_table) {
+ smb_panic("lame upcase table malloc fail");
+ /* notreached. */
+ return;
+ }
for (i=0;i<0x10000;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, i);
@@ -124,6 +129,11 @@ void load_case_tables(void)
if (!lowcase_table) {
DEBUG(1,("creating lame lowcase table\n"));
lowcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
+ if (!lowcase_table) {
+ smb_panic("lame lowcase table malloc fail");
+ /* notreached. */
+ return;
+ }
for (i=0;i<0x10000;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, i);
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 7ad4c9a..051fc96 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -987,6 +987,11 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads,
const gss_name_t serv
output_token.length = 4;
output_token.value = SMB_MALLOC(output_token.length);
+ if (!output_token.value) {
+ output_token.length = 0;
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto failed;
+ }
p = (uint8 *)output_token.value;
RSIVAL(p,0,max_msg_size);
@@ -1002,14 +1007,19 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT
*ads, const gss_name_t serv
*/
gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
- &output_token, &conf_state,
- &input_token);
+ &output_token, /* used as *input* here. */
+ &conf_state,
+ &input_token); /* Used as *output* here. */
if (gss_rc) {
status = ADS_ERROR_GSS(gss_rc, minor_status);
+ output_token.length = 0;
+ SAFE_FREE(output_token.value);
goto failed;
}
- free(output_token.value);
+ /* We've finished with output_token. */
+ SAFE_FREE(output_token.value);
+ output_token.length = 0;
cred.bv_val = (char *)input_token.value;
cred.bv_len = input_token.length;
diff --git a/source3/libnet/libnet_samsync_ldif.c
b/source3/libnet/libnet_samsync_ldif.c
index f18ba5b..96bad4d 100644
--- a/source3/libnet/libnet_samsync_ldif.c
+++ b/source3/libnet/libnet_samsync_ldif.c
@@ -83,6 +83,9 @@ static NTSTATUS populate_ldap_for_ldif(const char *sid,
if (suffix_attr == NULL) {
len = strlen(suffix);
suffix_attr = (char*)SMB_MALLOC(len+1);
+ if (!suffix_attr) {
+ return NT_STATUS_NO_MEMORY;
+ }
memcpy(suffix_attr, suffix, len);
suffix_attr[len] = '\0';
}
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9d84585..23f7b35 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2134,6 +2134,11 @@ static void cli_negprot_done(struct tevent_req *subreq)
SAFE_FREE(cli->inbuf);
cli->outbuf = (char
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN);
cli->inbuf = (char
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN);
+ if (!cli->outbuf || !cli->inbuf) {
+ tevent_req_nterror(req,
+ NT_STATUS_NO_MEMORY);
+ return;
+ }
cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE +
LARGE_WRITEX_HDR_SIZE;
}
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 09aafda..ac5cc2f 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -835,6 +835,10 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t
sd_len,
struct security_descriptor *psd = NULL;
NTSTATUS status;
+ if (!CAN_WRITE(fsp->conn)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
return NT_STATUS_OK;
}
--
Samba Shared Repository
