The branch, master has been updated
via 26c56ae51ec s3:rpc_server: Initialize array
via 742e5b48ae1 s4:torture: Initialize pointer with NULL
via b7c45f9c4fb examples: Initialize char arrays
via 0131e4737c2 s3:smbd: Fix invalid memory free
via 94b8fa41346 s3:smbd: Remove trailing spaces in seal.c
via 982c6b2bfac s3:smbd: Remove trailing spaces in smb1_process.c
via 8abda0a1341 s3:registry: Use correct integer sizes
via 6cadb1d695e s3:registry: Check for integer overflow
from 2a6805cc823 third_party: Update nss_wrapper to version 1.1.16
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 26c56ae51ec1315846d72f5dfcf65cf3ed44456c
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 2 11:41:41 2024 +0200
s3:rpc_server: Initialize array
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_server/svcctl/srv_svcctl_nt.c:163: var_decl:
Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_server/svcctl/srv_svcctl_nt.c:182:
uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object""
is uninitialized when calling ""make_sec_acl"".
180| /* create the security descriptor */
181|
182|-> if ( !(theacl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) )
183| return NULL;
184|"
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Mon Jul 8 08:37:46 UTC 2024 on atb-devel-224
commit 742e5b48ae18c84f0a008cfdfa40c1901aef8b05
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 2 11:37:25 2024 +0200
s4:torture: Initialize pointer with NULL
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samsync.c:342: var_decl: Declaring
variable ""dom_sid"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samsync.c:385: uninit_use_in_call:
Using uninitialized value ""dom_sid"" when calling ""dom_sid_dup"".
383| }
384| if (samsync_state->domain_handle[database_id]) {
385|-> samsync_state->sid[database_id] =
dom_sid_dup(samsync_state, dom_sid);
386| }
387|"
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit b7c45f9c4fb080cbd8742551dce94171bf871fb3
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jun 28 14:36:59 2024 +0200
examples: Initialize char arrays
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/examples/libsmbclient/testacl.c:35: var_decl: Declaring
variable ""value"" without initializer.
samba-4.20.0rc2/examples/libsmbclient/testacl.c:254: uninit_use_in_call:
Using uninitialized value ""*value"" as argument to ""%s"" when calling
""printf"". [Note: The source code implementation of the function has been
overridden by a builtin model.]
252| }
253|
254|-> printf(""Attributes for [%s] are:\n%s\n"",
path, value);
255|
256| if (stat_and_retry)"
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 0131e4737c2da46a7b1f492c67d851ee9f860ed2
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 26 16:11:57 2024 +0200
s3:smbd: Fix invalid memory free
"Error: BAD_FREE (CWE-590):
samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free:
""smb1_srv_send"" frees array ""errbuf"".
1483| char errbuf[smb_size];
1484| error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
1485|-> if (!smb1_srv_send(req->xconn,
1486| errbuf,
1487| true,"
Pair-Programmed-With: Ralph Boehme <s...@samba.org>
Signed-off-by: Ralph Boehme <s...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 94b8fa41346f5aefae21515bb8d1d46e2a71d485
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 26 16:14:47 2024 +0200
s3:smbd: Remove trailing spaces in seal.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 982c6b2bfac32b3d7a034252bfc8410c96f27992
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 26 16:13:09 2024 +0200
s3:smbd: Remove trailing spaces in smb1_process.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 8abda0a134168c63f70877f120fc0b02bf557a02
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 26 14:32:41 2024 +0200
s3:registry: Use correct integer sizes
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 6cadb1d695ef1d45d2b64c8ad95cc442658f0991
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 26 14:31:48 2024 +0200
s3:registry: Check for integer overflow
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/registry/regfio.c:175: tainted_data_argument: The
check ""bytes_read < block_size"" contains the tainted expression
""bytes_read"" which causes ""block_size"" to be considered tainted.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow: The expression
""block_size - bytes_read"" is deemed overflowed because at least one of its
arguments has overflowed.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow_sink: ""block_size
- bytes_read"", which might have underflowed, is passed to ""read(file->fd,
buffer + bytes_read, block_size - bytes_read)"". [Note: The source code
implementation of the function has been overridden by a builtin model.]
174|
175| while ( bytes_read < block_size ) {
176|-> if ( (returned = read( file->fd, buffer+bytes_read,
block_size-bytes_read )) == -1 ) {
177| DEBUG(0,(""read_block: read() failed (%s)\n"",
strerror(errno) ));
178| return False;"
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/libsmbclient/testacl.c | 4 ++--
source3/registry/regfio.c | 6 +++++-
source3/rpc_server/svcctl/srv_svcctl_nt.c | 2 +-
source3/smbd/seal.c | 8 ++------
source3/smbd/smb1_process.c | 13 +++++++------
source4/torture/rpc/samsync.c | 2 +-
6 files changed, 18 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/libsmbclient/testacl.c b/examples/libsmbclient/testacl.c
index e0e4eeb24d0..89d766d5064 100644
--- a/examples/libsmbclient/testacl.c
+++ b/examples/libsmbclient/testacl.c
@@ -31,8 +31,8 @@ int main(int argc, const char *argv[])
int ret;
char *p;
const char *debugstr;
- char path[1024];
- char value[1024];
+ char path[1024] = {};
+ char value[1024] = {};
poptContext pc;
struct stat st;
struct poptOption long_options[] =
diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c
index e7bb8d18f8f..2ddac2179b2 100644
--- a/source3/registry/regfio.c
+++ b/source3/registry/regfio.c
@@ -115,7 +115,7 @@ static int write_block( REGF_FILE *file, prs_struct *ps,
uint32_t offset )
static int read_block( REGF_FILE *file, prs_struct *ps, uint32_t file_offset,
uint32_t block_size )
{
- int bytes_read, returned;
+ ssize_t bytes_read, returned;
char *buffer;
SMB_STRUCT_STAT sbuf;
@@ -182,6 +182,10 @@ static int read_block( REGF_FILE *file, prs_struct *ps,
uint32_t file_offset, ui
return False;
}
+ if (returned < 0 || bytes_read > SSIZE_MAX - returned) {
+ DBG_ERR("Integer overflow\n");
+ return false;
+ }
bytes_read += returned;
}
diff --git a/source3/rpc_server/svcctl/srv_svcctl_nt.c
b/source3/rpc_server/svcctl/srv_svcctl_nt.c
index c1df2f65b6f..0bac31efac3 100644
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -160,7 +160,7 @@ static NTSTATUS svcctl_access_check( struct
security_descriptor *sec_desc, struc
static struct security_descriptor* construct_scm_sd( TALLOC_CTX *ctx )
{
- struct security_ace ace[2];
+ struct security_ace ace[2] = {};
size_t i = 0;
struct security_descriptor *sd;
struct security_acl *theacl;
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 8a0dbeb2bf4..0f1ceaf4044 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
SMB Transport encryption (sealing) code - server code.
Copyright (C) Jeremy Allison 2007.
@@ -139,11 +139,7 @@ static NTSTATUS make_srv_encryption_context(const struct
tsocket_address *remote
void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
{
- /* We know this is an smb buffer, and we
- * didn't malloc, only copy, for a keepalive,
- * so ignore non-session messages. */
-
- if(CVAL(buf,0)) {
+ if (buf == NULL) {
return;
}
diff --git a/source3/smbd/smb1_process.c b/source3/smbd/smb1_process.c
index 9b5a1bb1602..a1970b9e252 100644
--- a/source3/smbd/smb1_process.c
+++ b/source3/smbd/smb1_process.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
process incoming packets - main loop
Copyright (C) Andrew Tridgell 1992-1998
@@ -217,6 +217,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
size_t len = 0;
ssize_t ret;
char *buf_out = buffer;
+ char *encrypted_buf = NULL;
if (!NT_STATUS_IS_OK(xconn->transport.status)) {
/*
@@ -240,7 +241,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
}
if (do_encrypt) {
- NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
+ NTSTATUS status = srv_encrypt_buffer(xconn, buffer,
&encrypted_buf);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("send_smb: SMB encryption failed "
"on outgoing packet! Error %s\n",
@@ -248,11 +249,13 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
ret = -1;
goto out;
}
+ buf_out = encrypted_buf;
}
len = smb_len_large(buf_out) + 4;
ret = write_data(xconn->transport.sock, buf_out, len);
+ srv_free_enc_buffer(xconn, encrypted_buf);
if (ret <= 0) {
int saved_errno = errno;
/*
@@ -265,11 +268,9 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
(int)ret, strerror(saved_errno)));
errno = saved_errno;
- srv_free_enc_buffer(xconn, buf_out);
goto out;
}
- srv_free_enc_buffer(xconn, buf_out);
out:
smbd_unlock_socket(xconn);
return (ret > 0);
@@ -642,7 +643,7 @@ NTSTATUS allow_new_trans(struct trans_state *list, uint64_t
mid)
}
/*
-These flags determine some of the permissions required to do an operation
+These flags determine some of the permissions required to do an operation
Note that I don't set NEED_WRITE on some write operations because they
are used by some brain-dead clients when printing, and I don't want to
@@ -655,7 +656,7 @@ force write permissions on print services.
#define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
#define DO_CHDIR (1<<6)
-/*
+/*
define a list of possible SMB messages and their corresponding
functions. Any message that has a NULL function is unimplemented -
please feel free to contribute implementations!
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index a8541d34641..9111df9feed 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -339,7 +339,7 @@ static bool samsync_handle_domain(struct torture_context
*tctx, TALLOC_CTX *mem_
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
- struct dom_sid *dom_sid;
+ struct dom_sid *dom_sid = NULL;
struct samr_QueryDomainInfo q[14]; /* q[0] will be unused simple for
clarity */
union samr_DomainInfo *info[14];
uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13};
--
Samba Shared Repository
