[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a97c78fb221 lzxpress: add bounds checking to lzxpress_decompress()
from f50987df038 winbind: directly use
dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a97c78fb221a2f1aaca2effdb44c51e4f78ddd93
Author: Stefan Metzmacher
Date: Thu Nov 7 10:03:36 2019 +0100
lzxpress: add bounds checking to lzxpress_decompress()
lzxpress_decompress() would wander past the end of the array in
numerous locations.
Credit to OSS-Fuzz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14190
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19382
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22485
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22667
Signed-off-by: Stefan Metzmacher
Reviewed-by: Douglas Bagnall
Autobuild-User(master): Douglas Bagnall
Autobuild-Date(master): Sun Aug 9 00:30:26 UTC 2020 on sn-devel-184
---
Summary of changes:
lib/compression/lzxpress.c | 32 ++--
1 file changed, 30 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c
index 024aba4c2ce..d8326304455 100644
--- a/lib/compression/lzxpress.c
+++ b/lib/compression/lzxpress.c
@@ -252,8 +252,24 @@ ssize_t lzxpress_decompress(const uint8_t *input,
offset = 0;
nibble_index = 0;
+#define __CHECK_BYTES(__size, __index, __needed) do { \
+ if (unlikely(__index >= __size)) { \
+ return -1; \
+ } else { \
+ uint32_t __avail = __size - __index; \
+ if (unlikely(__needed > __avail)) { \
+ return -1; \
+ } \
+ } \
+} while(0)
+#define CHECK_INPUT_BYTES(__needed) \
+ __CHECK_BYTES(input_size, input_index, __needed)
+#define CHECK_OUTPUT_BYTES(__needed) \
+ __CHECK_BYTES(max_output_size, output_index, __needed)
+
do {
if (indicator_bit == 0) {
+ CHECK_INPUT_BYTES(4);
indicator = PULL_LE_UINT32(input, input_index);
input_index += sizeof(uint32_t);
indicator_bit = 32;
@@ -266,10 +282,13 @@ ssize_t lzxpress_decompress(const uint8_t *input,
* check whether the 4th bit of the value in indicator is set
*/
if (((indicator >> indicator_bit) & 1) == 0) {
+ CHECK_INPUT_BYTES(1);
+ CHECK_OUTPUT_BYTES(1);
output[output_index] = input[input_index];
input_index += sizeof(uint8_t);
output_index += sizeof(uint8_t);
} else {
+ CHECK_INPUT_BYTES(2);
length = PULL_LE_UINT16(input, input_index);
input_index += sizeof(uint16_t);
offset = length / 8;
@@ -277,6 +296,7 @@ ssize_t lzxpress_decompress(const uint8_t *input,
if (length == 7) {
if (nibble_index == 0) {
+ CHECK_INPUT_BYTES(1);
nibble_index = input_index;
length = input[input_index] % 16;
input_index += sizeof(uint8_t);
@@ -286,9 +306,11 @@ ssize_t lzxpress_decompress(const uint8_t *input,
}
if (length == 15) {
+ CHECK_INPUT_BYTES(1);
length = input[input_index];
input_index += sizeof(uint8_t);
if (length == 255) {
+ CHECK_INPUT_BYTES(2);
length = PULL_LE_UINT16(input,
input_index);
input_index += sizeof(uint16_t);
length -= (15 + 7);
@@ -299,10 +321,16 @@ ssize_t lzxpress_decompress(const uint8_t *input,
}
length += 3;
+ if (length == 0) {
+ return -1;
+ }
- do {
- if ((output_index >= max_output_size) ||
((offset + 1) > output_index)) break;
+ if (offset >= output_index) {
+ return -1;
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f50987df038 winbind: directly use
dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code
via 19ef9c40f14 s3:rpc_client: reverse
rpccli_{is_connected,set_timeout}() and rpccli_bh_{is_connected,set_timeout}()
from 6a9c7859281 s3: libsmb: Cleanup - Remove the last use of a struct
sockaddr_storage variable in dsgetdcname.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f50987df038846f0052d4c33bb534af9f2c79061
Author: Ralph Boehme
Date: Fri Aug 7 12:07:28 2020 +0200
winbind: directly use dcerpc_binding_handle_is_connected() in
reset_connection_on_error() SAMR code
In the end we should avoid rpccli_is_connected(), rpccli_set_timeout() and
the
whole rpc_pipe_client concept.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Sat Aug 8 10:59:38 UTC 2020 on sn-devel-184
commit 19ef9c40f14f91fcae6874d9f94540dd850e308b
Author: Stefan Metzmacher
Date: Fri Aug 7 15:57:15 2020 +0200
s3:rpc_client: reverse rpccli_{is_connected,set_timeout}() and
rpccli_bh_{is_connected,set_timeout}()
rpccli->transport should never be used directly,
everything should go via the binding handle.
Internal pipes don't have a transport, so p->transport is always
NULL. rpccli_is_connected() checks this and this causes all SAMR and LSA
requests for the local domain to be processed a second time by the triggered
retry logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457
Signed-off-by: Stefan Metzmacher
Reviewed-by: Ralph Boehme
---
Summary of changes:
source3/rpc_client/cli_pipe.c| 46
source3/winbindd/winbindd_samr.c | 3 ++-
2 files changed, 34 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 8227ef0b0bd..074d01828ad 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2158,22 +2158,16 @@ NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
unsigned int timeout)
{
- unsigned int old;
-
- if (rpc_cli->transport == NULL) {
- return RPCCLI_DEFAULT_TIMEOUT;
- }
-
- if (rpc_cli->transport->set_timeout == NULL) {
+ if (rpc_cli == NULL) {
return RPCCLI_DEFAULT_TIMEOUT;
}
- old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv,
timeout);
- if (old == 0) {
+ if (rpc_cli->binding_handle == NULL) {
return RPCCLI_DEFAULT_TIMEOUT;
}
- return old;
+ return dcerpc_binding_handle_set_timeout(rpc_cli->binding_handle,
+timeout);
}
bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
@@ -2182,11 +2176,11 @@ bool rpccli_is_connected(struct rpc_pipe_client
*rpc_cli)
return false;
}
- if (rpc_cli->transport == NULL) {
+ if (rpc_cli->binding_handle == NULL) {
return false;
}
- return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
+ return dcerpc_binding_handle_is_connected(rpc_cli->binding_handle);
}
struct rpccli_bh_state {
@@ -2197,8 +2191,17 @@ static bool rpccli_bh_is_connected(struct
dcerpc_binding_handle *h)
{
struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
struct rpccli_bh_state);
+ struct rpc_cli_transport *transport = hs->rpc_cli->transport;
+
+ if (transport == NULL) {
+ return false;
+ }
+
+ if (transport->is_connected == NULL) {
+ return false;
+ }
- return rpccli_is_connected(hs->rpc_cli);
+ return transport->is_connected(transport->priv);
}
static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
@@ -2206,8 +2209,23 @@ static uint32_t rpccli_bh_set_timeout(struct
dcerpc_binding_handle *h,
{
struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
struct rpccli_bh_state);
+ struct rpc_cli_transport *transport = hs->rpc_cli->transport;
+ unsigned int old;
- return rpccli_set_timeout(hs->rpc_cli, timeout);
+ if (transport == NULL) {
+ return RPCCLI_DEFAULT_TIMEOUT;
+ }
+
+ if (transport->set_timeout == NULL) {
+ return RPCCLI_DEFAULT_TIMEOUT;
+ }
+
+ old =
