The branch, master has been updated
via f58545d lib: Simplify iov_buf
via 0e26e0f unix_msg: Fix 80-line formatting
via 764cfda Make sure response->extra_data.data is always cleared out
from fb35a22 test: Fix quoting
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f58545dbc2836cd3fdf351babb1304d84fd3e06d
Author: Volker Lendecke <[email protected]>
Date: Sun Dec 21 14:52:17 2014 +0100
lib: Simplify iov_buf
According to
https://www.securecoding.cert.org/confluence/display/seccode/INT30-C.+Ensure+that+unsigned+integer+operations+do+not+wrap
we only need to check against one operand.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Fri Jan 9 23:42:49 CET 2015 on sn-devel-104
commit 0e26e0f6f6b7d657fdd51202f5919328278824e6
Author: Volker Lendecke <[email protected]>
Date: Tue Nov 25 18:50:25 2014 +0100
unix_msg: Fix 80-line formatting
This is pretty fresh code, so hope this change does not fall under the "no
reformatting" rule yet
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 764cfda2804d036e418365ceac92c2cb8a07577a
Author: Matthew Newton <[email protected]>
Date: Thu Jan 8 15:11:15 2015 +0000
Make sure response->extra_data.data is always cleared out
Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().
Reviewed-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
nsswitch/wb_common.c | 13 +++++++------
source3/lib/iov_buf.c | 4 ++--
source3/lib/unix_msg/unix_msg.c | 6 ++++--
3 files changed, 13 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index 44bfaf4..3b67df0 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -552,6 +552,13 @@ static int winbindd_read_reply(struct winbindd_response
*response)
result1 = winbind_read_sock(response,
sizeof(struct winbindd_response));
+
+ /* We actually send the pointer value of the extra_data field from
+ the server. This has no meaning in the client's address space
+ so we clear it out. */
+
+ response->extra_data.data = NULL;
+
if (result1 == -1) {
return -1;
}
@@ -560,12 +567,6 @@ static int winbindd_read_reply(struct winbindd_response
*response)
return -1;
}
- /* We actually send the pointer value of the extra_data field from
- the server. This has no meaning in the client's address space
- so we clear it out. */
-
- response->extra_data.data = NULL;
-
/* Read variable length response */
if (response->length > sizeof(struct winbindd_response)) {
diff --git a/source3/lib/iov_buf.c b/source3/lib/iov_buf.c
index f0e05a6..82a4af5 100644
--- a/source3/lib/iov_buf.c
+++ b/source3/lib/iov_buf.c
@@ -39,8 +39,8 @@ ssize_t iov_buf(const struct iovec *iov, int iovcnt,
tmp = needed + thislen;
- if ((tmp < needed) || (tmp < thislen)) {
- /* overflow */
+ if (tmp < needed) {
+ /* wrap */
return -1;
}
needed = tmp;
diff --git a/source3/lib/unix_msg/unix_msg.c b/source3/lib/unix_msg/unix_msg.c
index 51bb0c6..e4eed1c 100644
--- a/source3/lib/unix_msg/unix_msg.c
+++ b/source3/lib/unix_msg/unix_msg.c
@@ -922,7 +922,8 @@ static void unix_msg_recv(struct unix_dgram_ctx *dgram_ctx,
buflen -= sizeof(cookie);
if (cookie == 0) {
- ctx->recv_callback(ctx, buf, buflen, fds, num_fds,
ctx->private_data);
+ ctx->recv_callback(ctx, buf, buflen, fds, num_fds,
+ ctx->private_data);
return;
}
@@ -974,7 +975,8 @@ static void unix_msg_recv(struct unix_dgram_ctx *dgram_ctx,
}
DLIST_REMOVE(ctx->msgs, msg);
- ctx->recv_callback(ctx, msg->buf, msg->msglen, fds, num_fds,
ctx->private_data);
+ ctx->recv_callback(ctx, msg->buf, msg->msglen, fds, num_fds,
+ ctx->private_data);
free(msg);
return;
--
Samba Shared Repository
