The branch, master has been updated
via 412afb2aef1 Fix ubsan null pointer passed as argument 2
from da87fa998ab lib: Only compile resolvconftest if fmemopen exists
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 412afb2aef100e09eb433b8f0cae064fc2a736b7
Author: Gary Lockyer <[email protected]>
Date: Fri May 24 11:00:05 2019 +1200
Fix ubsan null pointer passed as argument 2
Fix ubsan warning null pointer passed as argument 2 when the source
pointer is NULL. The calls to memcpy are now guarded by an
if (len > 0)
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Gary Lockyer <[email protected]>
Autobuild-Date(master): Mon May 27 01:29:48 UTC 2019 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
lib/crypto/aes_cmac_128.c | 10 ++++++----
lib/dbwrap/dbwrap_rbt.c | 4 +++-
lib/util/asn1.c | 6 ++++--
lib/util/iov_buf.c | 2 +-
source3/locking/brlock.c | 4 +++-
source3/smbd/trans2.c | 6 +++++-
source4/libcli/raw/raweas.c | 6 +++++-
source4/libcli/raw/rawfile.c | 10 ++++++++--
source4/libcli/raw/rawrequest.c | 19 +++++++++++++------
source4/libcli/raw/rawtrans.c | 39 ++++++++++++++++++++++++---------------
source4/ntvfs/common/brlock_tdb.c | 4 +++-
source4/smb_server/smb/nttrans.c | 7 +++++--
12 files changed, 80 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/crypto/aes_cmac_128.c b/lib/crypto/aes_cmac_128.c
index e5e489ec70d..e7bf030c92a 100644
--- a/lib/crypto/aes_cmac_128.c
+++ b/lib/crypto/aes_cmac_128.c
@@ -69,10 +69,12 @@ void aes_cmac_128_update(struct aes_cmac_128_context *ctx,
if (ctx->last_len < AES_BLOCK_SIZE) {
size_t len = MIN(AES_BLOCK_SIZE - ctx->last_len, msg_len);
- memcpy(&ctx->last[ctx->last_len], msg, len);
- msg += len;
- msg_len -= len;
- ctx->last_len += len;
+ if (len > 0) {
+ memcpy(&ctx->last[ctx->last_len], msg, len);
+ msg += len;
+ msg_len -= len;
+ ctx->last_len += len;
+ }
}
if (msg_len == 0) {
diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c
index d9c743b80e8..145cfccf082 100644
--- a/lib/dbwrap/dbwrap_rbt.c
+++ b/lib/dbwrap/dbwrap_rbt.c
@@ -213,7 +213,9 @@ static NTSTATUS db_rbt_storev(struct db_record *rec,
TALLOC_FREE(rec_priv->node);
rec_priv->node = node;
- memcpy(this_val.dptr, data.dptr, node->valuesize);
+ if (node->valuesize > 0) {
+ memcpy(this_val.dptr, data.dptr, node->valuesize);
+ }
parent = NULL;
p = &db_ctx->tree.rb_node;
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index affa8f1df91..70ff5f0ad88 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -94,8 +94,10 @@ bool asn1_write(struct asn1_data *data, const void *p, int
len)
data->data = newp;
data->length = data->ofs+len;
}
- memcpy(data->data + data->ofs, p, len);
- data->ofs += len;
+ if (len > 0) {
+ memcpy(data->data + data->ofs, p, len);
+ data->ofs += len;
+ }
return true;
}
diff --git a/lib/util/iov_buf.c b/lib/util/iov_buf.c
index 592bc5d0498..132c7a75637 100644
--- a/lib/util/iov_buf.c
+++ b/lib/util/iov_buf.c
@@ -46,7 +46,7 @@ ssize_t iov_buf(const struct iovec *iov, int iovcnt,
}
needed = tmp;
- if (needed <= buflen) {
+ if (needed <= buflen && thislen > 0) {
memcpy(p, iov[i].iov_base, thislen);
p += thislen;
}
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index e587222bc8a..a24ad68bf3f 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1911,7 +1911,9 @@ static void byte_range_lock_flush(struct byte_range_lock
*br_lck)
data.dptr = talloc_array(talloc_tos(), uint8_t, data_len);
SMB_ASSERT(data.dptr != NULL);
- memcpy(data.dptr, br_lck->lock_data, lock_len);
+ if (lock_len > 0) {
+ memcpy(data.dptr, br_lck->lock_data, lock_len);
+ }
memcpy(data.dptr + lock_len, &br_lck->num_read_oplocks,
sizeof(br_lck->num_read_oplocks));
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 98fa1e68fd0..1fbf3ff9c47 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -565,7 +565,11 @@ static unsigned int fill_ea_buffer(TALLOC_CTX *mem_ctx,
char *pdata, unsigned in
SCVAL(p,1,dos_namelen);
SSVAL(p,2,ea_list->ea.value.length);
strlcpy(p+4, dos_ea_name, dos_namelen+1);
- memcpy( p + 4 + dos_namelen + 1, ea_list->ea.value.data,
ea_list->ea.value.length);
+ if (ea_list->ea.value.length > 0) {
+ memcpy(p + 4 + dos_namelen + 1,
+ ea_list->ea.value.data,
+ ea_list->ea.value.length);
+ }
total_data_size -= 4 + dos_namelen + 1 +
ea_list->ea.value.length;
p += 4 + dos_namelen + 1 + ea_list->ea.value.length;
diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index b626b316d28..2f551b0e6fc 100644
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -86,7 +86,11 @@ void ea_put_list(uint8_t *data, unsigned int num_eas, struct
ea_struct *eas)
SCVAL(data, 1, nlen);
SSVAL(data, 2, eas[i].value.length);
memcpy(data+4, eas[i].name.s, nlen+1);
- memcpy(data+4+nlen+1, eas[i].value.data, eas[i].value.length);
+ if (eas[i].value.length > 0) {
+ memcpy(data + 4 + nlen + 1,
+ eas[i].value.data,
+ eas[i].value.length);
+ }
data += 4+nlen+1+eas[i].value.length;
}
}
diff --git a/source4/libcli/raw/rawfile.c b/source4/libcli/raw/rawfile.c
index 0b4ad9e9290..39e9a8d4311 100644
--- a/source4/libcli/raw/rawfile.c
+++ b/source4/libcli/raw/rawfile.c
@@ -354,8 +354,14 @@ static struct smbcli_request
*smb_raw_nttrans_create_send(struct smbcli_tree *tr
/* build the data section */
nt.in.data = data_blob_talloc(mem_ctx, NULL, sd_blob.length +
ea_blob.length);
- memcpy(nt.in.data.data, sd_blob.data, sd_blob.length);
- memcpy(nt.in.data.data+sd_blob.length, ea_blob.data, ea_blob.length);
+ if (sd_blob.length > 0) {
+ memcpy(nt.in.data.data, sd_blob.data, sd_blob.length);
+ }
+ if (ea_blob.length > 0) {
+ memcpy(nt.in.data.data + sd_blob.length,
+ ea_blob.data,
+ ea_blob.length);
+ }
/* send the request on its way */
req = smb_raw_nttrans_send(tree, &nt);
diff --git a/source4/libcli/raw/rawrequest.c b/source4/libcli/raw/rawrequest.c
index 9cabea5c780..5805c2f66fc 100644
--- a/source4/libcli/raw/rawrequest.c
+++ b/source4/libcli/raw/rawrequest.c
@@ -533,9 +533,14 @@ size_t smbcli_req_append_ascii4(struct smbcli_request
*req, const char *str, uns
*/
size_t smbcli_req_append_blob(struct smbcli_request *req, const DATA_BLOB
*blob)
{
- smbcli_req_grow_allocation(req, req->out.data_size + blob->length);
- memcpy(req->out.data + req->out.data_size, blob->data, blob->length);
- smbcli_req_grow_data(req, req->out.data_size + blob->length);
+ if (blob->length > 0) {
+ smbcli_req_grow_allocation(req,
+ req->out.data_size + blob->length);
+ memcpy(req->out.data + req->out.data_size,
+ blob->data,
+ blob->length);
+ smbcli_req_grow_data(req, req->out.data_size + blob->length);
+ }
return blob->length;
}
@@ -545,9 +550,11 @@ size_t smbcli_req_append_blob(struct smbcli_request *req,
const DATA_BLOB *blob)
*/
size_t smbcli_req_append_bytes(struct smbcli_request *req, const uint8_t
*bytes, size_t byte_len)
{
- smbcli_req_grow_allocation(req, byte_len + req->out.data_size);
- memcpy(req->out.data + req->out.data_size, bytes, byte_len);
- smbcli_req_grow_data(req, byte_len + req->out.data_size);
+ if (byte_len > 0) {
+ smbcli_req_grow_allocation(req, byte_len + req->out.data_size);
+ memcpy(req->out.data + req->out.data_size, bytes, byte_len);
+ smbcli_req_grow_data(req, byte_len + req->out.data_size);
+ }
return byte_len;
}
diff --git a/source4/libcli/raw/rawtrans.c b/source4/libcli/raw/rawtrans.c
index 3a12fd30d57..1a1c836efaf 100644
--- a/source4/libcli/raw/rawtrans.c
+++ b/source4/libcli/raw/rawtrans.c
@@ -72,12 +72,16 @@ static struct smbcli_request
*smb_raw_trans_backend_send(struct smbcli_tree *tre
SSVAL(req->out.vwv, VWV(s), parms->in.setup[s]);
}
- memcpy(req->out.data,
- parms->in.params.data,
- parms->in.params.length);
- memcpy(req->out.data + parms->in.params.length,
- parms->in.data.data,
- parms->in.data.length);
+ if (parms->in.params.length > 0) {
+ memcpy(req->out.data,
+ parms->in.params.data,
+ parms->in.params.length);
+ }
+ if (parms->in.data.length > 0) {
+ memcpy(req->out.data + parms->in.params.length,
+ parms->in.data.data,
+ parms->in.data.length);
+ }
if (command == SMBtrans && parms->in.trans_name) {
pipe_name = parms->in.trans_name;
@@ -296,16 +300,21 @@ struct smbcli_request *smb_raw_nttrans_send(struct
smbcli_tree *tree,
timeout_msec = req->transport->options.request_timeout * 1000;
- memcpy(req->out.vwv,
- parms->in.setup,
- parms->in.setup_count * 2);
+ if (parms->in.setup_count > 0) {
+ memcpy(
+ req->out.vwv, parms->in.setup, parms->in.setup_count * 2);
+ }
- memcpy(req->out.data,
- parms->in.params.data,
- parms->in.params.length);
- memcpy(req->out.data + parms->in.params.length,
- parms->in.data.data,
- parms->in.data.length);
+ if (parms->in.params.length > 0) {
+ memcpy(req->out.data,
+ parms->in.params.data,
+ parms->in.params.length);
+ }
+ if (parms->in.data.length > 0) {
+ memcpy(req->out.data + parms->in.params.length,
+ parms->in.data.data,
+ parms->in.data.length);
+ }
req->subreqs[0] = smb1cli_trans_send(req,
req->transport->ev,
diff --git a/source4/ntvfs/common/brlock_tdb.c
b/source4/ntvfs/common/brlock_tdb.c
index 56cf26c70b9..77a864af328 100644
--- a/source4/ntvfs/common/brlock_tdb.c
+++ b/source4/ntvfs/common/brlock_tdb.c
@@ -365,7 +365,9 @@ static NTSTATUS brl_tdb_lock(struct brl_context *brl,
status = NT_STATUS_NO_MEMORY;
goto fail;
}
- memcpy(locks, dbuf.dptr, dbuf.dsize);
+ if (dbuf.dsize > 0) {
+ memcpy(locks, dbuf.dptr, dbuf.dsize);
+ }
locks[count] = lock;
dbuf.dptr = (unsigned char *)locks;
diff --git a/source4/smb_server/smb/nttrans.c b/source4/smb_server/smb/nttrans.c
index 97c4bb570d7..8e4d004f96c 100644
--- a/source4/smb_server/smb/nttrans.c
+++ b/source4/smb_server/smb/nttrans.c
@@ -570,8 +570,11 @@ static void reply_nttrans_send(struct ntvfs_request *ntvfs)
SIVAL(this_req->out.vwv, 31, PTR_DIFF(data,
trans->out.data.data));
SCVAL(this_req->out.vwv, 35, trans->out.setup_count);
- memcpy((char *)(this_req->out.vwv) + VWV(18), trans->out.setup,
- sizeof(uint16_t) * trans->out.setup_count);
+ if (trans->out.setup_count > 0) {
+ memcpy((char *)(this_req->out.vwv) + VWV(18),
+ trans->out.setup,
+ sizeof(uint16_t) * trans->out.setup_count);
+ }
memset(this_req->out.data, 0, align1);
if (this_param != 0) {
memcpy(this_req->out.data + align1, params, this_param);
--
Samba Shared Repository
