The branch, master has been updated via 4524f59 tsocket: Do not dereference a NULL pointer via 1d4b20d s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence. from 826f619 s3-winbind: Fix memory leak with each cached credential login
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 4524f5986c3cc6430fcc2ddae6970a62b3f22ac8 Author: Andreas Schneider <a...@samba.org> Date: Wed Jun 22 15:36:59 2016 +0200 tsocket: Do not dereference a NULL pointer Make sure the lrbsda pointer is not allocated and we will not end up dereferencing a NULL pointer. In practice this can't happen, but this change links the pointer with the code that uses it. Found by Coverity. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Jun 30 02:53:02 CEST 2016 on sn-devel-144 commit 1d4b20d4f3829eb3778006397990cd9fee4966a5 Author: Jeremy Allison <j...@samba.org> Date: Tue Jun 28 15:38:22 2016 -0700 s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence. https://bugzilla.samba.org/show_bug.cgi?id=11838 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/tsocket/tsocket_bsd.c | 12 ++++++++---- source4/dsdb/samdb/ldb_modules/ranged_results.c | 8 +++++--- 2 files changed, 13 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/tsocket/tsocket_bsd.c b/lib/tsocket/tsocket_bsd.c index 9608dde..708d17e 100644 --- a/lib/tsocket/tsocket_bsd.c +++ b/lib/tsocket/tsocket_bsd.c @@ -2327,10 +2327,14 @@ static struct tevent_req *tstream_bsd_connect_send(TALLOC_CTX *mem_ctx, goto post; } - ret = getsockname(state->fd, &lrbsda->u.sa, &lrbsda->sa_socklen); - if (ret == -1) { - tevent_req_error(req, errno); - goto post; + if (lrbsda != NULL) { + ret = getsockname(state->fd, + &lrbsda->u.sa, + &lrbsda->sa_socklen); + if (ret == -1) { + tevent_req_error(req, errno); + goto post; + } } tevent_req_done(req); diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c index 60d7503..13bf3a2 100644 --- a/source4/dsdb/samdb/ldb_modules/ranged_results.c +++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c @@ -201,6 +201,8 @@ static int rr_search(struct ldb_module *module, struct ldb_request *req) /* Strip the range request from the attribute */ for (i = 0; req->op.search.attrs && req->op.search.attrs[i]; i++) { char *p; + size_t range_len = strlen(";range="); + new_attrs = talloc_realloc(req, new_attrs, const char *, i+2); new_attrs[i] = req->op.search.attrs[i]; new_attrs[i+1] = NULL; @@ -208,12 +210,12 @@ static int rr_search(struct ldb_module *module, struct ldb_request *req) if (!p) { continue; } - if (strncasecmp(p, ";range=", strlen(";range=")) != 0) { + if (strncasecmp(p, ";range=", range_len) != 0) { continue; } end = (unsigned int)-1; - if (sscanf(p, ";range=%u-*", &start) != 1) { - if (sscanf(p, ";range=%u-%u", &start, &end) != 2) { + if (sscanf(p + range_len, "%u-*", &start) != 1) { + if (sscanf(p + range_len, "%u-%u", &start, &end) != 2) { ldb_asprintf_errstring(ldb, "range request error: " "range request malformed"); -- Samba Shared Repository