The branch, master has been updated
via efa66c9 libads: Fix CID 1349423 Resource leak
via 67c3184 net: Fix CID 1128559 Dereference null return value
via cfe8fa2 smbstatus: Fix CID 1128560 Dereference null return value
via f3e98f4 vfs_fruit: Fix CID 1433613 Operands don't affect result
via bb7da33 dsdb: Fix CID 1433614 Dereference after null check
via 1b7881c libads: Fix 1433611 Resource leak
via 9ecc6f3 lsa_server: Fix CID 1433608 Dereference after null check
via 8b5925b libads: Fix CID 1433606 Dereference before null check
from 1cd0fe9 ndr_string: Do overflow checks in ndr_push/pull_charset
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit efa66c9ebf519dfaf194220652b3e5e01c303fb6
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:27:08 2018 -0500
libads: Fix CID 1349423 Resource leak
get_sorted_dc_list should already take care, but this way it's safer
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Thu Mar 29 03:45:00 CEST 2018 on sn-devel-144
commit 67c31842b09799b07c25c06bddc181c65349f8fe
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:24:01 2018 -0500
net: Fix CID 1128559 Dereference null return value
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit cfe8fa2c75426680d5253b52dc84e34d391f23e0
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:22:02 2018 -0500
smbstatus: Fix CID 1128560 Dereference null return value
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit f3e98f41de25e3b52fd38f86317e428bfb53b287
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:17:59 2018 -0500
vfs_fruit: Fix CID 1433613 Operands don't affect result
Two changes: First, we can't check multiplication overflow after the
operation. This has to be done before with a division. Second, there
is no OFF_T_MAX, and both operands are size_t, so check for
SIZE_MAX. The result is assigned to off_t, but I'm not sure where the
automatic coercion from size_t to off_t would happen.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit bb7da3357388f7cf950455ca4f42cd7d43c3f02b
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:10:59 2018 -0500
dsdb: Fix CID 1433614 Dereference after null check
This whole routine assumes module!=NULL, both in the successful as
well as in error cases. So checking for module!=NULL is confusing both
the reader as well as Coverity.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 1b7881ceec755e924c52083188762864d723367c
Author: Volker Lendecke <[email protected]>
Date: Wed Mar 28 07:00:34 2018 -0500
libads: Fix 1433611 Resource leak
Not really a memleak due to the passed-in talloc ctx, but this way it's
cleaner
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 9ecc6f3b520ea6388a3b8d9f61cd2bbf16452400
Author: Volker Lendecke <[email protected]>
Date: Tue Mar 27 17:03:15 2018 -0500
lsa_server: Fix CID 1433608 Dereference after null check
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 8b5925b3049998d2ac54720a24ab60ab78033374
Author: Volker Lendecke <[email protected]>
Date: Tue Mar 27 17:00:46 2018 -0500
libads: Fix CID 1433606 Dereference before null check
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/libads/kerberos_keytab.c | 2 +-
source3/libads/ldap.c | 4 +++-
source3/modules/vfs_fruit.c | 4 ++--
source3/utils/net.c | 10 +++++++---
source3/utils/status.c | 10 +++++++++-
source4/dsdb/samdb/ldb_modules/partition.c | 6 ++++--
source4/rpc_server/lsa/lsa_lookup.c | 2 +-
7 files changed, 27 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 85f195a..8eb7b2a 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -93,7 +93,7 @@ static bool fill_default_spns(TALLOC_CTX *ctx, const char
*machine_name,
if (*spns == NULL) {
*spns = talloc_zero_array(ctx, const char*, 3);
- if (spns == NULL) {
+ if (*spns == NULL) {
return false;
}
}
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 78b813c..f946304 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -412,7 +412,7 @@ static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const
char *sitename,
const char *realm)
{
int count;
- struct ip_service *ip_list;
+ struct ip_service *ip_list = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
DEBUG(6, ("resolve_and_ping_dns: (cldap) looking for realm '%s'\n",
@@ -421,6 +421,7 @@ static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const
char *sitename,
status = get_sorted_dc_list(realm, sitename, &ip_list, &count,
true);
if (!NT_STATUS_IS_OK(status)) {
+ SAFE_FREE(ip_list);
return status;
}
@@ -3471,6 +3472,7 @@ out:
if (name != NULL) {
ok = (strlen(name) > 0);
}
+ TALLOC_FREE(name);
return ok;
}
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 1a05d0b..4299583 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -6515,12 +6515,12 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct
*handle,
return true;
}
- tm_size = bandsize * nbands;
- if (tm_size > UINT64_MAX) {
+ if (bandsize > SIZE_MAX/nbands) {
DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
bandsize, nbands);
return false;
}
+ tm_size = bandsize * nbands;
if (state->total_size + tm_size < state->total_size) {
DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
diff --git a/source3/utils/net.c b/source3/utils/net.c
index bde2616..44daa60 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -915,6 +915,7 @@ static struct functable net_func[] = {
const char **argv_const = discard_const_p(const char *, argv);
poptContext pc;
TALLOC_CTX *frame = talloc_stackframe();
+ struct tevent_context *ev;
struct net_context *c = talloc_zero(frame, struct net_context);
NTSTATUS status;
@@ -1036,9 +1037,12 @@ static struct functable net_func[] = {
exit(1);
}
- status = messaging_init_client(c,
- samba_tevent_context_init(c),
- &c->msg_ctx);
+ ev = samba_tevent_context_init(c);
+ if (ev == NULL) {
+ d_fprintf(stderr, "samba_tevent_context_init failed\n");
+ exit(1);
+ }
+ status = messaging_init_client(c, ev, &c->msg_ctx);
if (geteuid() != 0 &&
NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
/*
diff --git a/source3/utils/status.c b/source3/utils/status.c
index beae85c..6370f70 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -528,6 +528,7 @@ int main(int argc, const char *argv[])
};
TALLOC_CTX *frame = talloc_stackframe();
int ret = 0;
+ struct tevent_context *ev;
struct messaging_context *msg_ctx = NULL;
char *db_path;
bool ok;
@@ -618,7 +619,14 @@ int main(int argc, const char *argv[])
* This implicitly initializes the global ctdbd connection,
* usable by the db_open() calls further down.
*/
- msg_ctx = messaging_init(NULL, samba_tevent_context_init(NULL));
+ ev = samba_tevent_context_init(NULL);
+ if (ev == NULL) {
+ fprintf(stderr, "samba_tevent_context_init failed\n");
+ ret = -1;
+ goto done;
+ }
+
+ msg_ctx = messaging_init(NULL, ev);
if (msg_ctx == NULL) {
fprintf(stderr, "messaging_init failed\n");
ret = -1;
diff --git a/source4/dsdb/samdb/ldb_modules/partition.c
b/source4/dsdb/samdb/ldb_modules/partition.c
index 422ed36..37e714d 100644
--- a/source4/dsdb/samdb/ldb_modules/partition.c
+++ b/source4/dsdb/samdb/ldb_modules/partition.c
@@ -1016,7 +1016,8 @@ int partition_del_trans(struct ldb_module *module)
struct
partition_private_data);
for (i=0; data && data->partitions && data->partitions[i]; i++) {
- if ((module && ldb_module_flags(ldb_module_get_ctx(module)) &
LDB_FLG_ENABLE_TRACING)) {
+ if (ldb_module_flags(ldb_module_get_ctx(module)) &
+ LDB_FLG_ENABLE_TRACING) {
ldb_debug(ldb_module_get_ctx(module), LDB_DEBUG_TRACE,
"partition_del_trans() -> %s",
ldb_dn_get_linearized(data->partitions[i]->ctrl->dn));
}
@@ -1035,7 +1036,8 @@ int partition_del_trans(struct ldb_module *module)
}
data->in_transaction--;
- if ((module && ldb_module_flags(ldb_module_get_ctx(module)) &
LDB_FLG_ENABLE_TRACING)) {
+ if (ldb_module_flags(ldb_module_get_ctx(module)) &
+ LDB_FLG_ENABLE_TRACING) {
ldb_debug(ldb_module_get_ctx(module), LDB_DEBUG_TRACE,
"partition_del_trans() -> (metadata partition)");
}
ret = ldb_next_del_trans(module);
diff --git a/source4/rpc_server/lsa/lsa_lookup.c
b/source4/rpc_server/lsa/lsa_lookup.c
index 3baff1e..becbcfc 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -88,7 +88,7 @@ static NTSTATUS dcesrv_lsa_lookup_name(struct
lsa_policy_state *state,
bool match = false;
int ret;
- if (principal == NULL && principal[0] == '\0') {
+ if ((principal == NULL) || (principal[0] == '\0')) {
return NT_STATUS_NONE_MAPPED;
}
--
Samba Shared Repository
