The branch, master has been updated via cebf26d0624 s3:modules: Fix possible dereference of NULL for fio via 2e649846348 s3:libnet: Fix dereference of NULL win7 via 82f53c82ed6 s3:libnet: Fix dead code in libnet_join.c via 5ac87622568 ctdb:utils: Improve error handling of hex_decode() via 41c86c9dda3 s3:rpc_server: Fix possible NULL dereference via 46460025175 s3:smbd: Fix dereferencing null pointer "fsp" via 728600a40f9 s3:smbd: Fix trailing whitespaces in dosmode.c via 4d7ed39fd8f s3:modules: Fix the horrible vfs_crossrename module via 41ebb7f68c5 s3:modules: VFS CAP symlinkat always fails from 745af26a1a6 s3: includes: Make the comments describing itime consistent. Always use "invented" time.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cebf26d0624489db3cbf5e31e97c4a92771758f0 Author: Pavel Filipenský <pfili...@redhat.com> Date: Mon Jan 10 13:26:25 2022 +0100 s3:modules: Fix possible dereference of NULL for fio We do not check consistently for fio being NULL in this file. Found by covescan. Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Jan 11 00:22:09 UTC 2022 on sn-devel-184 commit 2e649846348ad6ce451b32ab534ac0030ccc7c0f Author: Pavel Filipenský <pfili...@redhat.com> Date: Mon Jan 10 13:24:22 2022 +0100 s3:libnet: Fix dereference of NULL win7 Found by covscan. Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 82f53c82ed6ec4818bb1e2220e25e76fee7cb23e Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 14:11:53 2022 +0100 s3:libnet: Fix dead code in libnet_join.c Found by covscan. Pair-programmed-with: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 5ac8762256830f1c7e48dcc9684802f00fc3b5c2 Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 11:57:08 2022 +0100 ctdb:utils: Improve error handling of hex_decode() This has been found by covscan and make analyzers happy. Pair-programmed-with: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 41c86c9dda3fd7a733f54fa1af31adec96bb4a33 Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 11:50:16 2022 +0100 s3:rpc_server: Fix possible NULL dereference Found by covscan. Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 46460025175e83fbb47a510e412d83b1b2573db9 Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 21:18:59 2022 +0100 s3:smbd: Fix dereferencing null pointer "fsp" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14942 Remove fsp which is always NULL and replace it with smb_fname->fsp. Found by covscan. Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 728600a40f939de3172bbe429e17ea65ff21699a Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 21:18:59 2022 +0100 s3:smbd: Fix trailing whitespaces in dosmode.c Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 4d7ed39fd8fa18f90756f215c8b0fc5d293e955e Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 13:16:26 2022 +0100 s3:modules: Fix the horrible vfs_crossrename module It really has to be removed! ;-) Found by covscan. The code always leaves here as the dst variable BUG: https://bugzilla.samba.org/show_bug.cgi?id=14940 Pair-programmed-with: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 41ebb7f68c5b21492f503afc4cb341a97654a43d Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Jan 7 13:55:38 2022 +0100 s3:modules: VFS CAP symlinkat always fails BUG: https://bugzilla.samba.org/show_bug.cgi?id=14941 Found by covscan. Since capnew is initialized by NULL, checking it too early makes the rest of the function a dead code. Pair-programmed-with: Andreas Schneider <a...@samba.org> Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: ctdb/utils/tdb/tdb_mutex_check.c | 24 ++++++++++++----- source3/libnet/libnet_join.c | 5 ++-- source3/libnet/libnet_join_offline.c | 3 +++ source3/modules/vfs_cap.c | 2 +- source3/modules/vfs_crossrename.c | 2 +- source3/modules/vfs_fruit.c | 41 ++++++++++++++++++----------- source3/rpc_server/netlogon/srv_netlog_nt.c | 14 ++++------ source3/smbd/dosmode.c | 19 +++++++------ 8 files changed, 65 insertions(+), 45 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/utils/tdb/tdb_mutex_check.c b/ctdb/utils/tdb/tdb_mutex_check.c index da794b8dab5..4da0c40d41b 100644 --- a/ctdb/utils/tdb/tdb_mutex_check.c +++ b/ctdb/utils/tdb/tdb_mutex_check.c @@ -30,30 +30,42 @@ #include "lib/tdb/common/tdb_private.h" #include "lib/tdb/common/mutex.c" -static uint8_t *hex_decode(const char *hex_in, size_t *len) +static uint8_t *hex_decode(const char *hex_in, size_t *plen) { size_t i; int num; uint8_t *buffer; + size_t len; - *len = strlen(hex_in) / 2; - buffer = malloc(*len); + len = strlen(hex_in) / 2; + if (len == 0) { + return NULL; + } + + buffer = malloc(len); + if (buffer == NULL) { + return NULL; + } - for (i=0; i<*len; i++) { + for (i = 0; i < len; i++) { sscanf(&hex_in[i*2], "%02X", &num); buffer[i] = (uint8_t)num; } + *plen = len; + return buffer; } static int get_hash_chain(struct tdb_context *tdb, const char *hex_key) { - TDB_DATA key; + TDB_DATA key = { + .dsize = 0, + }; unsigned int hash; key.dptr = hex_decode(hex_key, &key.dsize); - if (key.dsize == 0) { + if (key.dptr == NULL || key.dsize == 0) { return -1; } hash = tdb_jenkins_hash(&key); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 02705f1c70c..00d71b97f2a 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2669,7 +2669,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, ADS_STATUS ads_status; #endif /* HAVE_ADS */ const char *pre_connect_realm = NULL; - const char *numeric_dcip = NULL; const char *sitename = NULL; struct netr_DsRGetDCNameInfo *info; const char *dc; @@ -2731,7 +2730,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, return WERR_NERR_DCNOTFOUND; } - numeric_dcip = info->dc_address + 2; sitename = info->dc_site_name; /* info goes out of scope but the memory stays allocated on the talloc context */ @@ -2741,8 +2739,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, if (pre_connect_realm != NULL) { struct sockaddr_storage ss = {0}; + const char *numeric_dcip = info->dc_address + 2; - if (numeric_dcip != NULL) { + if (numeric_dcip[0] == '\0') { if (!interpret_string_addr(&ss, numeric_dcip, AI_NUMERICHOST)) { DBG_ERR( diff --git a/source3/libnet/libnet_join_offline.c b/source3/libnet/libnet_join_offline.c index 33380207209..d1317ddfbea 100644 --- a/source3/libnet/libnet_join_offline.c +++ b/source3/libnet/libnet_join_offline.c @@ -175,6 +175,9 @@ static WERROR libnet_odj_compose_OP_PACKAGE_PART(TALLOC_CTX *mem_ctx, switch (level) { case 1: /* ODJ_GUID_JOIN_PROVIDER */ + if (win7 == NULL) { + return WERR_INVALID_PARAMETER; + } p->Part->win7blob = *win7; break; case 2: /* ODJ_GUID_JOIN_PROVIDER2 */ diff --git a/source3/modules/vfs_cap.c b/source3/modules/vfs_cap.c index 4a47b26c7b9..43c8edb8932 100644 --- a/source3/modules/vfs_cap.c +++ b/source3/modules/vfs_cap.c @@ -448,7 +448,7 @@ static int cap_symlinkat(vfs_handle_struct *handle, int saved_errno = 0; int ret; - if (!capold || !capnew) { + if (capold == NULL) { errno = ENOMEM; return -1; } diff --git a/source3/modules/vfs_crossrename.c b/source3/modules/vfs_crossrename.c index 52b8af9d3f6..930eec02739 100644 --- a/source3/modules/vfs_crossrename.c +++ b/source3/modules/vfs_crossrename.c @@ -82,7 +82,7 @@ static NTSTATUS copy_reg(vfs_handle_struct *handle, full_fname_src = full_path_from_dirfsp_atname(talloc_tos(), srcfsp, source); - if (full_fname_dst == NULL) { + if (full_fname_src == NULL) { status = NT_STATUS_NO_MEMORY; goto out; } diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index aeaddc5f796..d6aa7e3644e 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -1604,6 +1604,12 @@ static int fruit_open_rsrc_adouble(vfs_handle_struct *handle, * on close. */ fio = fruit_get_complete_fio(handle, fsp); + if (fio == NULL) { + DBG_ERR("fio=NULL for [%s]\n", fsp_str_dbg(fsp)); + errno = EBADF; + rc = -1; + goto exit; + } ref_fio = VFS_ADD_FSP_EXTENSION(handle, ad_fsp, struct fio, @@ -1780,19 +1786,19 @@ static int fruit_openat(vfs_handle_struct *handle, static int fruit_close_meta(vfs_handle_struct *handle, files_struct *fsp) { - struct fio *fio = fruit_get_complete_fio(handle, fsp); int ret; struct fruit_config_data *config = NULL; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, return -1); - if (fio == NULL) { - return -1; - } - switch (config->meta) { case FRUIT_META_STREAM: + { + struct fio *fio = fruit_get_complete_fio(handle, fsp); + if (fio == NULL) { + return -1; + } if (fio->fake_fd) { ret = vfs_fake_fd_close(fsp_get_pathref_fd(fsp)); fsp_set_fd(fsp, -1); @@ -1800,7 +1806,7 @@ static int fruit_close_meta(vfs_handle_struct *handle, ret = SMB_VFS_NEXT_CLOSE(handle, fsp); } break; - + } case FRUIT_META_NETATALK: ret = vfs_fake_fd_close(fsp_get_pathref_fd(fsp)); fsp_set_fd(fsp, -1); @@ -1818,7 +1824,6 @@ static int fruit_close_meta(vfs_handle_struct *handle, static int fruit_close_rsrc(vfs_handle_struct *handle, files_struct *fsp) { - struct fio *fio = fruit_get_complete_fio(handle, fsp); int ret; struct fruit_config_data *config = NULL; @@ -1831,10 +1836,16 @@ static int fruit_close_rsrc(vfs_handle_struct *handle, break; case FRUIT_RSRC_ADFILE: + { + struct fio *fio = fruit_get_complete_fio(handle, fsp); + if (fio == NULL) { + return -1; + } fio_close_ad_fsp(fio); ret = vfs_fake_fd_close(fsp_get_pathref_fd(fsp)); fsp_set_fd(fsp, -1); break; + } case FRUIT_RSRC_XATTR: ret = vfs_fake_fd_close(fsp_get_pathref_fd(fsp)); @@ -2448,8 +2459,8 @@ static ssize_t fruit_pread_rsrc_adouble(vfs_handle_struct *handle, struct adouble *ad = NULL; ssize_t nread; - if (fio->ad_fsp == NULL) { - DBG_ERR("ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); + if (fio == NULL || fio->ad_fsp == NULL) { + DBG_ERR("fio/ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); errno = EBADF; return -1; } @@ -2876,8 +2887,8 @@ static ssize_t fruit_pwrite_rsrc_adouble(vfs_handle_struct *handle, ssize_t nwritten; int ret; - if (fio->ad_fsp == NULL) { - DBG_ERR("ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); + if (fio == NULL || fio->ad_fsp == NULL) { + DBG_ERR("fio/ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); errno = EBADF; return -1; } @@ -3457,8 +3468,8 @@ static int fruit_fstat_rsrc_adouble(vfs_handle_struct *handle, struct adouble *ad = NULL; int ret; - if (fio->ad_fsp == NULL) { - DBG_ERR("ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); + if (fio == NULL || fio->ad_fsp == NULL) { + DBG_ERR("fio/ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); errno = EBADF; return -1; } @@ -4002,8 +4013,8 @@ static int fruit_ftruncate_rsrc_adouble(struct vfs_handle_struct *handle, struct adouble *ad = NULL; off_t ad_off; - if (fio->ad_fsp == NULL) { - DBG_ERR("ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); + if (fio == NULL || fio->ad_fsp == NULL) { + DBG_ERR("fio/ad_fsp=NULL for [%s]\n", fsp_str_dbg(fsp)); errno = EBADF; return -1; } diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index f3c56a6bef1..5906464a9f3 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1512,14 +1512,9 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, unbecome_root(); if (!NT_STATUS_IS_OK(status)) { - const char *computer_name = "<unknown>"; - - if (creds && creds->computer_name) { - computer_name = creds->computer_name; - } - DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step " - "failed. Rejecting auth request from client %s machine account %s\n", - r->in.computer_name, computer_name)); + DBG_NOTICE("netlogon_creds_server_step failed. " + "Rejecting auth request from client %s\n", + r->in.computer_name); TALLOC_FREE(creds); return status; } @@ -1527,7 +1522,8 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, DBG_NOTICE("Server Password Set2 by remote " "machine:[%s] on account [%s]\n", r->in.computer_name, - creds->computer_name); + creds->computer_name != NULL ? + creds->computer_name : "<unknown>"); memcpy(password_buf.data, r->in.new_password->data, 512); SIVAL(password_buf.data, 512, r->in.new_password->length); diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index e63bf6a22d6..5b252d2bf64 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. dos mode handling functions Copyright (C) Andrew Tridgell 1992-1998 @@ -86,7 +86,7 @@ static uint32_t filter_mode_by_protocol(uint32_t mode) Base permission for files: if creating file and inheriting (i.e. parent_dir != NULL) apply read/write bits from parent directory. - else + else everybody gets read bit set dos readonly is represented in unix by removing everyone's write bit dos archive is represented in unix by the user's execute bit @@ -134,7 +134,7 @@ mode_t unix_mode(connection_struct *conn, int dosmode, smb_fname_str_dbg(smb_fname), (int)dir_mode)); /* Clear "result" */ result = 0; - } + } if (IS_DOS_DIR(dosmode)) { /* We never make directories read only for the owner as under DOS a user @@ -146,14 +146,14 @@ mode_t unix_mode(connection_struct *conn, int dosmode, result |= dir_mode; } else { /* Provisionally add all 'x' bits */ - result |= (S_IXUSR | S_IXGRP | S_IXOTH); + result |= (S_IXUSR | S_IXGRP | S_IXOTH); /* Apply directory mask */ result &= lp_directory_mask(SNUM(conn)); /* Add in force bits */ result |= lp_force_directory_mode(SNUM(conn)); } - } else { + } else { if (lp_map_archive(SNUM(conn)) && IS_DOS_ARCHIVE(dosmode)) result |= S_IXUSR; @@ -161,7 +161,7 @@ mode_t unix_mode(connection_struct *conn, int dosmode, result |= S_IXGRP; if (lp_map_hidden(SNUM(conn)) && IS_DOS_HIDDEN(dosmode)) - result |= S_IXOTH; + result |= S_IXOTH; if (dir_mode) { /* Inherit 666 component of parent directory mode */ @@ -917,7 +917,6 @@ int file_set_dosmode(connection_struct *conn, mode_t tmp; mode_t unixmode; int ret = -1, lret = -1; - files_struct *fsp = NULL; NTSTATUS status; if (!CAN_WRITE(conn)) { @@ -1000,7 +999,7 @@ int file_set_dosmode(connection_struct *conn, unixmode |= tmp; } - /* if we previously had any w bits set then leave them alone + /* if we previously had any w bits set then leave them alone whilst adding in the new w bits, if the new mode is not rdonly */ if (!IS_DOS_READONLY(dosmode)) { unixmode |= (smb_fname->st.st_ex_mode & (S_IWUSR|S_IWGRP|S_IWOTH)); @@ -1055,7 +1054,7 @@ int file_set_dosmode(connection_struct *conn, } become_root(); - ret = SMB_VFS_FCHMOD(fsp, unixmode); + ret = SMB_VFS_FCHMOD(smb_fname->fsp, unixmode); unbecome_root(); if (!newfile) { @@ -1180,7 +1179,7 @@ int file_ntimes(connection_struct *conn, /* Don't update the time on read-only shares */ /* We need this as set_filetime (which can be called on close and other paths) can end up calling this function - without the NEED_WRITE protection. Found by : + without the NEED_WRITE protection. Found by : Leo Weppelman <l...@wau.mis.ah.nl> */ -- Samba Shared Repository