[SCM] Samba Shared Repository - branch v3-6-test updated

Jeremy Allison Wed, 15 Sep 2010 15:42:42 -0700

The branch, v3-6-test has been updated
       via  25446bd Fix all sid_parse returns to be checked. Tidy up some 
checks and error messages.
       via  e8f17bb s3-smbd: prevent call_nt_transact_ioctl() crash in 
FSCTL_FIND_FILES_BY_SID case.
      from  1cfef70 Add check for invalid data size.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit 25446bd3b6c3eed8dc43e3565960013ba3df6324
Author: Jeremy Allison <j...@samba.org>
Date:   Wed Sep 15 15:40:15 2010 -0700

    Fix all sid_parse returns to be checked. Tidy up some checks and error
    messages.
    
    Jeremy.
    (cherry picked from commit 447d96878a8b5a335447c37eca2a46b7133caa78)

commit e8f17bb55bee36673d8a84dffd3e72740d6407e6
Author: GÃ¼nther Deschner <g...@samba.org>
Date:   Thu Sep 16 00:19:51 2010 +0200

    s3-smbd: prevent call_nt_transact_ioctl() crash in FSCTL_FIND_FILES_BY_SID 
case.
    
    Jeremy, please check.
    
    Guenther
    (cherry picked from commit db8cfda320d0e2453d01cdae884fd8aa108bcda7)

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/ldap.c     |    4 +++-
 source3/libsmb/cliquota.c |    4 +++-
 source3/smbd/nttrans.c    |   22 ++++++++++++++++------
 3 files changed, 22 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 970f20a..97d89dc 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2145,7 +2145,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, 
struct berval **values)
        for (i=0; values[i]; i++) {
                struct dom_sid sid;
                fstring tmp;
-               sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+               if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+                       return;
+               }
                printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
        }
 }
diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c
index 6642cf0..c001f5e 100644
--- a/source3/libsmb/cliquota.c
+++ b/source3/libsmb/cliquota.c
@@ -112,7 +112,9 @@ static bool parse_user_quota_record(const char *rdata, 
unsigned int rdata_count,
        }
 #endif /* LARGE_SMB_OFF_T */
 
-       sid_parse(rdata+40,sid_len,&qt.sid);
+       if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+               return false;
+       }
 
        qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index a0ea0d6..c95784e 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2254,7 +2254,10 @@ static void call_nt_transact_ioctl(connection_struct 
*conn,
                /* unknown 4 bytes: this is not the length of the sid :-(  */
                /*unknown = IVAL(pdata,0);*/
 
-               sid_parse(pdata+4,sid_len,&sid);
+               if (!sid_parse(pdata+4,sid_len,&sid)) {
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       return;
+               }
                DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
                if (!sid_to_uid(&sid, &uid)) {
@@ -2568,7 +2571,10 @@ static void 
call_nt_transact_get_user_quota(connection_struct *conn,
                                break;
                        }
 
-                       sid_parse(pdata+8,sid_len,&sid);
+                       if (!sid_parse(pdata+8,sid_len,&sid)) {
+                               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                               return;
+                       }
 
                        if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, 
&qt)!=0) {
                                ZERO_STRUCT(qt);
@@ -2685,7 +2691,7 @@ static void 
call_nt_transact_set_user_quota(connection_struct *conn,
 
        if (data_count < 40) {
                DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes 
data\n",data_count,40));
-               reply_nterror(req, NT_STATUS_INVALID_LEVEL);
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                return;
        }
 
@@ -2697,9 +2703,9 @@ static void 
call_nt_transact_set_user_quota(connection_struct *conn,
        /* sid len */
        sid_len = IVAL(pdata,4);
 
-       if (data_count < 40+sid_len) {
+       if (data_count < 40+sid_len || (40+sid_len < sid_len)) {
                DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes 
data\n",data_count,(unsigned long)40+sid_len));
-               reply_nterror(req, NT_STATUS_INVALID_LEVEL);
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                return;
        }
 
@@ -2749,7 +2755,11 @@ static void 
call_nt_transact_set_user_quota(connection_struct *conn,
        }
 #endif /* LARGE_SMB_OFF_T */
 
-       sid_parse(pdata+40,sid_len,&sid);
+       if (!sid_parse(pdata+40,sid_len,&sid)) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               return;
+       }
+
        DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
        /* 44 unknown bytes left... */


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-6-test updated

Reply via email to