The branch, master has been updated
via 689f42a s3:registry: enhance debugging of deletekey_recursive
via 7eeb168 s3:dbwrap_ctdb: improve transaction start/commit/cancel
debugging
via 0aa85ec s3:lib: fix a comment in tdb_unpack()
via 32b7411 s3:registry: fix regdb_key_exists: the record has to
contain at least the 4-byte subkey counter
via 8a36e72 s3: avoid reading past the end of buffer in tdb_unpack 'f'
if zero termination is missing
via 39f9c85 s3: avoid reading past the end of buffer in tdb_unpack 'P'
if zero termination is missing
from 043c521 build: link pys3param against pytalloc-util not pytalloc
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 689f42af29572d1d9e135c0d20e07fb690a6d2d4
Author: Michael Adam <[email protected]>
Date: Sun Aug 14 23:48:41 2011 +0200
s3:registry: enhance debugging of deletekey_recursive
Autobuild-User: Michael Adam <[email protected]>
Autobuild-Date: Mon Aug 15 19:34:44 CEST 2011 on sn-devel-104
commit 7eeb1685237da3867f58504c694d55dcf582b55b
Author: Michael Adam <[email protected]>
Date: Sun Aug 14 23:47:47 2011 +0200
s3:dbwrap_ctdb: improve transaction start/commit/cancel debugging
* also log nesting transaction start/commit/cancel
* unify transaction log messages slightly
commit 0aa85ec43a7973836681b5b79b3778bb64cdec00
Author: Michael Adam <[email protected]>
Date: Mon Aug 15 13:34:42 2011 +0200
s3:lib: fix a comment in tdb_unpack()
commit 32b74111040f503cf033cdca8d1fbd621543004b
Author: Michael Adam <[email protected]>
Date: Mon Aug 15 01:30:32 2011 +0200
s3:registry: fix regdb_key_exists: the record has to contain at least the
4-byte subkey counter
More precisley, we return false if the record does not match the required
structure of a leading 4-byte subkey counter followed by the corresponding
number zero-terminated strings.
commit 8a36e721407dd8eb3b1df71fbbbc7a6e3c804e48
Author: Gregor Beck <[email protected]>
Date: Tue Jul 5 11:55:34 2011 +0200
s3: avoid reading past the end of buffer in tdb_unpack 'f' if zero
termination is missing
Signed-off-by: Michael Adam <[email protected]>
commit 39f9c854ae258424deea7fcc004077404149dfe5
Author: Gregor Beck <[email protected]>
Date: Tue Jul 5 11:54:58 2011 +0200
s3: avoid reading past the end of buffer in tdb_unpack 'P' if zero
termination is missing
Signed-off-by: Michael Adam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/lib/dbwrap/dbwrap_ctdb.c | 10 ++++-
source3/lib/util_tdb.c | 8 +++--
source3/registry/reg_api.c | 14 +++++++
source3/registry/reg_backend_db.c | 73 ++++++++++++++++++++++++++++++++++++-
4 files changed, 99 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index 454a283..ada5cfc 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -335,6 +335,8 @@ static int db_ctdb_transaction_start(struct db_context *db)
if (ctx->transaction) {
ctx->transaction->nesting++;
+ DEBUG(5, (__location__ " transaction start on db 0x%08x:
nesting %d -> %d\n",
+ ctx->db_id, ctx->transaction->nesting - 1,
ctx->transaction->nesting));
return 0;
}
@@ -369,7 +371,7 @@ static int db_ctdb_transaction_start(struct db_context *db)
ctx->transaction = h;
- DEBUG(5,(__location__ " Started transaction on db 0x%08x\n",
ctx->db_id));
+ DEBUG(5,(__location__ " transaction started on db 0x%08x\n",
ctx->db_id));
return 0;
}
@@ -786,6 +788,8 @@ static int db_ctdb_transaction_commit(struct db_context *db)
if (h->nesting != 0) {
h->nesting--;
+ DEBUG(5, (__location__ " transaction commit on db 0x%08x:
nesting %d -> %d\n",
+ ctx->db_id, ctx->transaction->nesting + 1,
ctx->transaction->nesting));
return 0;
}
@@ -798,7 +802,7 @@ static int db_ctdb_transaction_commit(struct db_context *db)
goto done;
}
- DEBUG(5,(__location__ " Commit transaction on db 0x%08x\n",
ctx->db_id));
+ DEBUG(5,(__location__ " transaction commit on db 0x%08x\n",
ctx->db_id));
/*
* As the last db action before committing, bump the database sequence
@@ -891,6 +895,8 @@ static int db_ctdb_transaction_cancel(struct db_context *db)
if (h->nesting != 0) {
h->nesting--;
h->nested_cancel = true;
+ DEBUG(5, (__location__ " transaction cancel on db 0x%08x:
nesting %d -> %d\n",
+ ctx->db_id, ctx->transaction->nesting + 1,
ctx->transaction->nesting));
return 0;
}
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index ade46bf..93842e4 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -388,7 +388,7 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char
*fmt, ...)
goto no_space;
*w = SVAL(buf, 0);
break;
- case 'd': /* signed 32-bit integer (standard int in most
systems) */
+ case 'd': /* unsigned 32-bit integer (standard int in most
systems) */
len = 4;
d = va_arg(ap, uint32 *);
if (bufsize < len)
@@ -410,12 +410,14 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char
*fmt, ...)
case 'P': /* null-terminated string */
/* Return malloc'ed string. */
ps = va_arg(ap,char **);
- len = strlen((const char *)buf) + 1;
+ len = strnlen((const char *)buf, bufsize) + 1;
+ if (bufsize < len)
+ goto no_space;
*ps = SMB_STRDUP((const char *)buf);
break;
case 'f': /* null-terminated string */
s = va_arg(ap,char *);
- len = strlen((const char *)buf) + 1;
+ len = strnlen((const char *)buf, bufsize) + 1;
if (bufsize < len || len > sizeof(fstring))
goto no_space;
memcpy(s, buf, len);
diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c
index 289f77d..372f2d3 100644
--- a/source3/registry/reg_api.c
+++ b/source3/registry/reg_api.c
@@ -815,9 +815,15 @@ static WERROR reg_deletekey_recursive_internal(struct
registry_key *parent,
uint32 i;
TALLOC_CTX *mem_ctx = talloc_stackframe();
+ DEBUG(5, ("reg_deletekey_recursive_internal: deleting '%s' from '%s'\n",
+ path, parent->key->name));
+
/* recurse through subkeys first */
werr = reg_openkey(mem_ctx, parent, path, REG_KEY_ALL, &key);
if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(3, ("reg_deletekey_recursive_internal: error opening "
+ "subkey '%s' of '%s': '%s'\n",
+ path, parent->key->name, win_errstr(werr)));
goto done;
}
@@ -840,6 +846,10 @@ static WERROR reg_deletekey_recursive_internal(struct
registry_key *parent,
}
done:
+
+ DEBUG(5, ("reg_deletekey_recursive_internal: done deleting '%s' from "
+ "'%s': %s\n",
+ path, parent->key->name, win_errstr(werr)));
TALLOC_FREE(mem_ctx);
return werr;
}
@@ -883,6 +893,10 @@ static WERROR reg_deletekey_recursive_trans(struct
registry_key *parent,
DEBUG(0, ("reg_deletekey_recursive_trans: "
"error committing transaction: %s\n",
win_errstr(werr)));
+ } else {
+ DEBUG(5, ("reg_reletekey_recursive_trans: deleted key
'%s' from '%s'\n",
+ path, parent->key->name));
+
}
}
diff --git a/source3/registry/reg_backend_db.c
b/source3/registry/reg_backend_db.c
index 57d6d39..4e10bf6 100644
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -1389,6 +1389,11 @@ static TDB_DATA regdb_fetch_key_internal(struct
db_context *db,
* Existence of a key is authoritatively defined by
* the existence of the record that contains the list
* of its subkeys.
+ *
+ * Return false, if the record does not match the correct
+ * structure of an initial 4-byte counter and then a
+ * list of the corresponding number of zero-terminated
+ * strings.
*/
static bool regdb_key_exists(struct db_context *db, const char *key)
{
@@ -1396,6 +1401,10 @@ static bool regdb_key_exists(struct db_context *db,
const char *key)
TDB_DATA value;
bool ret = false;
char *path;
+ uint32_t buflen;
+ const char *buf;
+ uint32_t num_items, i;
+ int32_t len;
if (key == NULL) {
goto done;
@@ -1412,7 +1421,69 @@ static bool regdb_key_exists(struct db_context *db,
const char *key)
}
value = regdb_fetch_key_internal(db, mem_ctx, path);
- ret = (value.dptr != NULL);
+ if (value.dptr == NULL) {
+ goto done;
+ }
+
+ if (value.dsize == 0) {
+ DEBUG(10, ("regdb_key_exists: subkeylist-record for key "
+ "[%s] is empty: Could be a deleted record in a "
+ "clustered (ctdb) environment?\n",
+ path));
+ goto done;
+ }
+
+ len = tdb_unpack(value.dptr, value.dsize, "d", &num_items);
+ if (len == (int32_t)-1) {
+ DEBUG(1, ("regdb_key_exists: ERROR: subkeylist-record for key "
+ "[%s] is invalid: Could not parse initial 4-byte "
+ "counter. record data length is %u.\n",
+ path, (unsigned int)value.dsize));
+ goto done;
+ }
+
+ /*
+ * Note: the tdb_unpack check above implies that len <= value.dsize
+ */
+ buflen = value.dsize - len;
+ buf = (const char *)value.dptr + len;
+
+ len = 0;
+
+ for (i = 0; i < num_items; i++) {
+ if (buflen == 0) {
+ break;
+ }
+ len = strnlen(buf, buflen) + 1;
+ if (buflen < len) {
+ DEBUG(1, ("regdb_key_exists: ERROR: subkeylist-record "
+ "for key [%s] is corrupt: %u items expected, "
+ "item number %u is not zero terminated.\n",
+ path, num_items, i+1));
+ goto done;
+ }
+
+ buf += len;
+ buflen -= len;
+ }
+
+ if (buflen > 0) {
+ DEBUG(1, ("regdb_key_exists: ERROR: subkeylist-record for key "
+ "[%s] is corrupt: %u items expected and found, but "
+ "the record contains additional %u bytes\n",
+ path, num_items, buflen));
+ goto done;
+ }
+
+ if (i < num_items) {
+ DEBUG(1, ("regdb_key_exists: ERROR: subkeylist-record for key "
+ "[%s] is corrupt: %u items expected, but only %u "
+ "items found.\n",
+ path, num_items, i+1));
+ goto done;
+ }
+
+ ret = true;
done:
TALLOC_FREE(mem_ctx);
--
Samba Shared Repository
