The branch, master has been updated via d650f884ec1 lib:ldb: Use correct integer types for sizes via 17dd13bb4bc lib:ldb: Add missing overflow check in ldb_msg_normalize() via 82b07bd048e lib:tdb: Add missing overflow check for num_values in pytdb.c via e9c4538e272 lib:tdb: Remove trailing spaces from pytdb.c from 80159018e41 s3:utils: Fix Inherit-Only flag being automatically propagated to children
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d650f884ec1be0745af93020366b9e115670b771 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 14:33:51 2024 +0200 lib:ldb: Use correct integer types for sizes Error: INTEGER_OVERFLOW (CWE-190): ldb-2.9.0/common/ldb_ldif.c:84: tainted_data_return: Called function "read(f, buf, size)", and a possible return value may be less than zero. ldb-2.9.0/common/ldb_ldif.c:84: cast_overflow: An assign that casts to a different type, which might trigger an overflow. ldb-2.9.0/common/ldb_ldif.c:92: overflow: The expression "size" is considered to have possibly overflowed. ldb-2.9.0/common/ldb_ldif.c:84: overflow_sink: "size", which might be negative, is passed to "read(f, buf, size)". [Note: The source code implementation of the function has been overridden by a builtin model.] 82| buf = (char *)value->data; 83| while (count < statbuf.st_size) { 84|-> bytes = read(f, buf, size); 85| if (bytes == -1) { 86| talloc_free(value->data); Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue Apr 30 15:33:32 UTC 2024 on atb-devel-224 commit 17dd13bb4bc9bd38f663c376ee73de6598715da7 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 14:27:54 2024 +0200 lib:ldb: Add missing overflow check in ldb_msg_normalize() Error: INTEGER_OVERFLOW (CWE-190): ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.] 1251| talloc_free(discard_const_p(char, el2->name)); 1252| if ((i+1) < msg2->num_elements) { 1253|-> memmove(el2, el2+1, sizeof(struct ldb_message_element) * 1254| (msg2->num_elements - (i+1))); 1255| } Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit 82b07bd048e8039896be7edec6b83cbd6ff218d9 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 14:16:33 2024 +0200 lib:tdb: Add missing overflow check for num_values in pytdb.c Error: INTEGER_OVERFLOW (CWE-190): tdb-1.4.10/pytdb.c:401: cast_overflow: Truncation due to cast operation on "num_values" from 64 to 32 bits. tdb-1.4.10/pytdb.c:401: overflow_sink: "num_values", which might have overflowed, is passed to "tdb_storev(self->ctx, key, values, num_values, flag)". 399| } 400| 401|-> ret = tdb_storev(self->ctx, key, values, num_values, flag); 402| free(values); 403| PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx); Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit e9c4538e272a32f9fe4dcdabc6f44b95ddfda6e7 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 14:16:15 2024 +0200 lib:tdb: Remove trailing spaces from pytdb.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb_ldif.c | 3 ++- lib/ldb/common/ldb_msg.c | 2 +- lib/tdb/pytdb.c | 22 +++++++++++++--------- 3 files changed, 16 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c index 96237dd0abf..24a0bcdefa5 100644 --- a/lib/ldb/common/ldb_ldif.c +++ b/lib/ldb/common/ldb_ldif.c @@ -45,7 +45,8 @@ static int ldb_read_data_file(TALLOC_CTX *mem_ctx, struct ldb_val *value) { struct stat statbuf; char *buf; - int count, size, bytes; + size_t count, size; + ssize_t bytes; int ret; int f; const char *fname = (const char *)value->data; diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index bbb7ff96233..8477ab2b00b 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb, sizeof(struct ldb_val) * el2->num_values); el1->num_values += el2->num_values; talloc_free(discard_const_p(char, el2->name)); - if ((i+1) < msg2->num_elements) { + if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) { memmove(el2, el2+1, sizeof(struct ldb_message_element) * (msg2->num_elements - (i+1))); } diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c index 4d75d7a9041..3b1842c02c1 100644 --- a/lib/tdb/pytdb.c +++ b/lib/tdb/pytdb.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Python interface to tdb. @@ -44,7 +44,7 @@ static PyTypeObject PyTdb; static void PyErr_SetTDBError(TDB_CONTEXT *tdb) { - PyErr_SetObject(PyExc_RuntimeError, + PyErr_SetObject(PyExc_RuntimeError, Py_BuildValue("(i,s)", tdb_error(tdb), tdb_errorstr(tdb))); } @@ -294,7 +294,7 @@ static PyObject *obj_nextkey(PyTdbObject *self, PyObject *args) key = PyBytes_AsTDB_DATA(py_key); if (!key.dptr) return NULL; - + return PyBytes_FromTDB_DATA(tdb_nextkey(self->ctx, key)); } @@ -383,6 +383,10 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args) PyErr_SetFromErrno(PyExc_OverflowError); return NULL; } + if (num_values > INT_MAX) { + PyErr_SetFromErrno(PyExc_OverflowError); + return NULL; + } values = malloc(sizeof(TDB_DATA) * num_values); if (values == NULL) { PyErr_NoMemory(); @@ -398,7 +402,7 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args) values[i] = value; } - ret = tdb_storev(self->ctx, key, values, num_values, flag); + ret = tdb_storev(self->ctx, key, values, (int)num_values, flag); free(values); PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx); Py_RETURN_NONE; @@ -466,7 +470,7 @@ PyTypeObject PyTdbIterator = { static PyObject *tdb_object_iter(PyTdbObject *self, PyObject *Py_UNUSED(ignored)) { - PyTdbIteratorObject *ret; + PyTdbIteratorObject *ret; PyErr_TDB_RAISE_IF_CLOSED(self); @@ -514,7 +518,7 @@ static PyObject *obj_increment_seqnum_nonblock(PyTdbObject *self, } static PyMethodDef tdb_object_methods[] = { - { "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS, + { "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS, "S.transaction_cancel() -> None\n" "Cancel the currently active transaction." }, { "transaction_commit", (PyCFunction)obj_transaction_commit, METH_NOARGS, @@ -713,9 +717,9 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value) tkey = PyBytes_AsTDB_DATA(key); - if (value == NULL) { + if (value == NULL) { ret = tdb_delete(self->ctx, tkey); - } else { + } else { if (!PyBytes_Check(value)) { PyErr_SetString(PyExc_TypeError, "Expected string as value"); return -1; @@ -729,7 +733,7 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value) if (ret != 0) { PyErr_SetTDBError(self->ctx); return -1; - } + } return ret; } -- Samba Shared Repository