The branch, master has been updated
via d650f884ec1 lib:ldb: Use correct integer types for sizes
via 17dd13bb4bc lib:ldb: Add missing overflow check in
ldb_msg_normalize()
via 82b07bd048e lib:tdb: Add missing overflow check for num_values in
pytdb.c
via e9c4538e272 lib:tdb: Remove trailing spaces from pytdb.c
from 80159018e41 s3:utils: Fix Inherit-Only flag being automatically
propagated to children
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d650f884ec1be0745af93020366b9e115670b771
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 14:33:51 2024 +0200
lib:ldb: Use correct integer types for sizes
Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_ldif.c:84: tainted_data_return: Called function
"read(f, buf, size)", and a possible return value may be less than zero.
ldb-2.9.0/common/ldb_ldif.c:84: cast_overflow: An assign that casts to a
different type, which might trigger an overflow.
ldb-2.9.0/common/ldb_ldif.c:92: overflow: The expression "size" is
considered to have possibly overflowed.
ldb-2.9.0/common/ldb_ldif.c:84: overflow_sink: "size", which might be
negative, is passed to "read(f, buf, size)". [Note: The source code
implementation of the function has been overridden by a builtin model.]
82| buf = (char *)value->data;
83| while (count < statbuf.st_size) {
84|-> bytes = read(f, buf, size);
85| if (bytes == -1) {
86| talloc_free(value->data);
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Tue Apr 30 15:33:32 UTC 2024 on atb-devel-224
commit 17dd13bb4bc9bd38f663c376ee73de6598715da7
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 14:27:54 2024 +0200
lib:ldb: Add missing overflow check in ldb_msg_normalize()
Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i <
msg2->num_elements" contains the tainted expression "i" which causes
"msg2->num_elements" to be considered tainted.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression
"msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of
its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL *
(msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of
its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements
- (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1,
32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation
of the function has been overridden by a builtin model.]
1251| talloc_free(discard_const_p(char,
el2->name));
1252| if ((i+1) < msg2->num_elements) {
1253|-> memmove(el2, el2+1, sizeof(struct
ldb_message_element) *
1254| (msg2->num_elements -
(i+1)));
1255| }
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 82b07bd048e8039896be7edec6b83cbd6ff218d9
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 14:16:33 2024 +0200
lib:tdb: Add missing overflow check for num_values in pytdb.c
Error: INTEGER_OVERFLOW (CWE-190):
tdb-1.4.10/pytdb.c:401: cast_overflow: Truncation due to cast operation on
"num_values" from 64 to 32 bits.
tdb-1.4.10/pytdb.c:401: overflow_sink: "num_values", which might have
overflowed, is passed to "tdb_storev(self->ctx, key, values, num_values, flag)".
399| }
400|
401|-> ret = tdb_storev(self->ctx, key, values, num_values, flag);
402| free(values);
403| PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit e9c4538e272a32f9fe4dcdabc6f44b95ddfda6e7
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 14:16:15 2024 +0200
lib:tdb: Remove trailing spaces from pytdb.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_ldif.c | 3 ++-
lib/ldb/common/ldb_msg.c | 2 +-
lib/tdb/pytdb.c | 22 +++++++++++++---------
3 files changed, 16 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c
index 96237dd0abf..24a0bcdefa5 100644
--- a/lib/ldb/common/ldb_ldif.c
+++ b/lib/ldb/common/ldb_ldif.c
@@ -45,7 +45,8 @@ static int ldb_read_data_file(TALLOC_CTX *mem_ctx, struct
ldb_val *value)
{
struct stat statbuf;
char *buf;
- int count, size, bytes;
+ size_t count, size;
+ ssize_t bytes;
int ret;
int f;
const char *fname = (const char *)value->data;
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index bbb7ff96233..8477ab2b00b 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb,
sizeof(struct ldb_val) * el2->num_values);
el1->num_values += el2->num_values;
talloc_free(discard_const_p(char, el2->name));
- if ((i+1) < msg2->num_elements) {
+ if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) {
memmove(el2, el2+1, sizeof(struct
ldb_message_element) *
(msg2->num_elements - (i+1)));
}
diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index 4d75d7a9041..3b1842c02c1 100644
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
Python interface to tdb.
@@ -44,7 +44,7 @@ static PyTypeObject PyTdb;
static void PyErr_SetTDBError(TDB_CONTEXT *tdb)
{
- PyErr_SetObject(PyExc_RuntimeError,
+ PyErr_SetObject(PyExc_RuntimeError,
Py_BuildValue("(i,s)", tdb_error(tdb), tdb_errorstr(tdb)));
}
@@ -294,7 +294,7 @@ static PyObject *obj_nextkey(PyTdbObject *self, PyObject
*args)
key = PyBytes_AsTDB_DATA(py_key);
if (!key.dptr)
return NULL;
-
+
return PyBytes_FromTDB_DATA(tdb_nextkey(self->ctx, key));
}
@@ -383,6 +383,10 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject
*args)
PyErr_SetFromErrno(PyExc_OverflowError);
return NULL;
}
+ if (num_values > INT_MAX) {
+ PyErr_SetFromErrno(PyExc_OverflowError);
+ return NULL;
+ }
values = malloc(sizeof(TDB_DATA) * num_values);
if (values == NULL) {
PyErr_NoMemory();
@@ -398,7 +402,7 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject
*args)
values[i] = value;
}
- ret = tdb_storev(self->ctx, key, values, num_values, flag);
+ ret = tdb_storev(self->ctx, key, values, (int)num_values, flag);
free(values);
PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);
Py_RETURN_NONE;
@@ -466,7 +470,7 @@ PyTypeObject PyTdbIterator = {
static PyObject *tdb_object_iter(PyTdbObject *self,
PyObject *Py_UNUSED(ignored))
{
- PyTdbIteratorObject *ret;
+ PyTdbIteratorObject *ret;
PyErr_TDB_RAISE_IF_CLOSED(self);
@@ -514,7 +518,7 @@ static PyObject *obj_increment_seqnum_nonblock(PyTdbObject
*self,
}
static PyMethodDef tdb_object_methods[] = {
- { "transaction_cancel", (PyCFunction)obj_transaction_cancel,
METH_NOARGS,
+ { "transaction_cancel", (PyCFunction)obj_transaction_cancel,
METH_NOARGS,
"S.transaction_cancel() -> None\n"
"Cancel the currently active transaction." },
{ "transaction_commit", (PyCFunction)obj_transaction_commit,
METH_NOARGS,
@@ -713,9 +717,9 @@ static int obj_setitem(PyTdbObject *self, PyObject *key,
PyObject *value)
tkey = PyBytes_AsTDB_DATA(key);
- if (value == NULL) {
+ if (value == NULL) {
ret = tdb_delete(self->ctx, tkey);
- } else {
+ } else {
if (!PyBytes_Check(value)) {
PyErr_SetString(PyExc_TypeError, "Expected string as
value");
return -1;
@@ -729,7 +733,7 @@ static int obj_setitem(PyTdbObject *self, PyObject *key,
PyObject *value)
if (ret != 0) {
PyErr_SetTDBError(self->ctx);
return -1;
- }
+ }
return ret;
}
--
Samba Shared Repository
