The branch, master has been updated via e806824 ldb client controls: avoid talloc_memdup(x, y, (size_t)-1); via ac4dc0c s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path from e8e2386 s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e806824fc8841553102eefdd748b5c6d261f1bb7 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Mar 16 12:46:12 2016 +1300 ldb client controls: avoid talloc_memdup(x, y, (size_t)-1); ldb_base64_decode() returns -1 if a string can't be parsed as base64, and this is not the kind of value you want to use in talloc_memdup(). In these cases it can happen innocently if the strings are truncated to fit in their buffers. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Sat Mar 19 00:56:42 CET 2016 on sn-devel-144 commit ac4dc0c678dddf1eab977dddfc4344d835be7824 Author: Shyamsunder Rathi <shyam.ra...@nutanix.com> Date: Thu Mar 10 12:37:49 2016 -0800 s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path At present, substitutions in the streams directory path are ignored. Fix it by modifying 'stream_dir' function to call 'lp_parm_talloc_string' which internally calls 'lp_string' on the path. Signed-off-by: Shyamsunder Rathi <shyam.ra...@nutanix.com> Reviewed-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb_controls.c | 31 +++++++++++++++++++++++++++---- source3/modules/vfs_streams_depot.c | 10 ++++++++-- 2 files changed, 35 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c index 7da0cf0..0fdd13a 100644 --- a/lib/ldb/common/ldb_controls.c +++ b/lib/ldb/common/ldb_controls.c @@ -507,8 +507,16 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO control->match.byOffset.contentCount = cc; } if (ctxid[0]) { - control->ctxid_len = ldb_base64_decode(ctxid); - control->contextId = talloc_memdup(control, ctxid, control->ctxid_len); + int len = ldb_base64_decode(ctxid); + if (len < 0) { + ldb_set_errstring(ldb, + "invalid VLV context_id\n"); + talloc_free(ctrl); + return NULL; + } + control->ctxid_len = len; + control->contextId = talloc_memdup(control, ctxid, + control->ctxid_len); } else { control->ctxid_len = 0; control->contextId = NULL; @@ -552,7 +560,14 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO control->flags = flags; control->max_attributes = max_attrs; if (*cookie) { - control->cookie_len = ldb_base64_decode(cookie); + int len = ldb_base64_decode(cookie); + if (len < 0) { + ldb_set_errstring(ldb, + "invalid dirsync cookie\n"); + talloc_free(ctrl); + return NULL; + } + control->cookie_len = len; control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len); } else { control->cookie = NULL; @@ -597,7 +612,15 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO control->flags = flags; control->max_attributes = max_attrs; if (*cookie) { - control->cookie_len = ldb_base64_decode(cookie); + int len = ldb_base64_decode(cookie); + if (len < 0) { + ldb_set_errstring(ldb, + "invalid dirsync_ex cookie" + " (probably too long)\n"); + talloc_free(ctrl); + return NULL; + } + control->cookie_len = len; control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len); } else { control->cookie = NULL; diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c index ef5ef64..5a97444 100644 --- a/source3/modules/vfs_streams_depot.c +++ b/source3/modules/vfs_streams_depot.c @@ -123,7 +123,7 @@ static char *stream_dir(vfs_handle_struct *handle, struct file_id id; uint8_t id_buf[16]; bool check_valid; - const char *rootdir; + char *rootdir = NULL; struct smb_filename *rootdir_fname = NULL; struct smb_filename *tmp_fname = NULL; @@ -137,9 +137,13 @@ static char *stream_dir(vfs_handle_struct *handle, goto fail; } - rootdir = lp_parm_const_string( + rootdir = lp_parm_talloc_string(talloc_tos(), SNUM(handle->conn), "streams_depot", "directory", tmp); + if (rootdir == NULL) { + errno = ENOMEM; + goto fail; + } rootdir_fname = synthetic_smb_fname(talloc_tos(), rootdir, @@ -329,12 +333,14 @@ static char *stream_dir(vfs_handle_struct *handle, } TALLOC_FREE(rootdir_fname); + TALLOC_FREE(rootdir); TALLOC_FREE(tmp_fname); TALLOC_FREE(smb_fname_hash); return result; fail: TALLOC_FREE(rootdir_fname); + TALLOC_FREE(rootdir); TALLOC_FREE(tmp_fname); TALLOC_FREE(smb_fname_hash); TALLOC_FREE(result); -- Samba Shared Repository