The branch, v3-6-test has been updated via 25446bd Fix all sid_parse returns to be checked. Tidy up some checks and error messages. via e8f17bb s3-smbd: prevent call_nt_transact_ioctl() crash in FSCTL_FIND_FILES_BY_SID case. from 1cfef70 Add check for invalid data size.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit 25446bd3b6c3eed8dc43e3565960013ba3df6324 Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 15 15:40:15 2010 -0700 Fix all sid_parse returns to be checked. Tidy up some checks and error messages. Jeremy. (cherry picked from commit 447d96878a8b5a335447c37eca2a46b7133caa78) commit e8f17bb55bee36673d8a84dffd3e72740d6407e6 Author: Günther Deschner <g...@samba.org> Date: Thu Sep 16 00:19:51 2010 +0200 s3-smbd: prevent call_nt_transact_ioctl() crash in FSCTL_FIND_FILES_BY_SID case. Jeremy, please check. Guenther (cherry picked from commit db8cfda320d0e2453d01cdae884fd8aa108bcda7) ----------------------------------------------------------------------- Summary of changes: source3/libads/ldap.c | 4 +++- source3/libsmb/cliquota.c | 4 +++- source3/smbd/nttrans.c | 22 ++++++++++++++++------ 3 files changed, 22 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 970f20a..97d89dc 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2145,7 +2145,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) for (i=0; values[i]; i++) { struct dom_sid sid; fstring tmp; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + return; + } printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); } } diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c index 6642cf0..c001f5e 100644 --- a/source3/libsmb/cliquota.c +++ b/source3/libsmb/cliquota.c @@ -112,7 +112,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(rdata+40,sid_len,&qt.sid); + if (!sid_parse(rdata+40,sid_len,&qt.sid)) { + return false; + } qt.qtype = SMB_USER_QUOTA_TYPE; diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index a0ea0d6..c95784e 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2254,7 +2254,10 @@ static void call_nt_transact_ioctl(connection_struct *conn, /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2568,7 +2571,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2685,7 +2691,7 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, if (data_count < 40) { DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40)); - reply_nterror(req, NT_STATUS_INVALID_LEVEL); + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); return; } @@ -2697,9 +2703,9 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, /* sid len */ sid_len = IVAL(pdata,4); - if (data_count < 40+sid_len) { + if (data_count < 40+sid_len || (40+sid_len < sid_len)) { DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len)); - reply_nterror(req, NT_STATUS_INVALID_LEVEL); + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); return; } @@ -2749,7 +2755,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); /* 44 unknown bytes left... */ -- Samba Shared Repository