[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a97c78fb221 lzxpress: add bounds checking to lzxpress_decompress() from f50987df038 winbind: directly use dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a97c78fb221a2f1aaca2effdb44c51e4f78ddd93 Author: Stefan Metzmacher Date: Thu Nov 7 10:03:36 2019 +0100 lzxpress: add bounds checking to lzxpress_decompress() lzxpress_decompress() would wander past the end of the array in numerous locations. Credit to OSS-Fuzz. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14190 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19382 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22485 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22667 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Sun Aug 9 00:30:26 UTC 2020 on sn-devel-184 --- Summary of changes: lib/compression/lzxpress.c | 32 ++-- 1 file changed, 30 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c index 024aba4c2ce..d8326304455 100644 --- a/lib/compression/lzxpress.c +++ b/lib/compression/lzxpress.c @@ -252,8 +252,24 @@ ssize_t lzxpress_decompress(const uint8_t *input, offset = 0; nibble_index = 0; +#define __CHECK_BYTES(__size, __index, __needed) do { \ + if (unlikely(__index >= __size)) { \ + return -1; \ + } else { \ + uint32_t __avail = __size - __index; \ + if (unlikely(__needed > __avail)) { \ + return -1; \ + } \ + } \ +} while(0) +#define CHECK_INPUT_BYTES(__needed) \ + __CHECK_BYTES(input_size, input_index, __needed) +#define CHECK_OUTPUT_BYTES(__needed) \ + __CHECK_BYTES(max_output_size, output_index, __needed) + do { if (indicator_bit == 0) { + CHECK_INPUT_BYTES(4); indicator = PULL_LE_UINT32(input, input_index); input_index += sizeof(uint32_t); indicator_bit = 32; @@ -266,10 +282,13 @@ ssize_t lzxpress_decompress(const uint8_t *input, * check whether the 4th bit of the value in indicator is set */ if (((indicator >> indicator_bit) & 1) == 0) { + CHECK_INPUT_BYTES(1); + CHECK_OUTPUT_BYTES(1); output[output_index] = input[input_index]; input_index += sizeof(uint8_t); output_index += sizeof(uint8_t); } else { + CHECK_INPUT_BYTES(2); length = PULL_LE_UINT16(input, input_index); input_index += sizeof(uint16_t); offset = length / 8; @@ -277,6 +296,7 @@ ssize_t lzxpress_decompress(const uint8_t *input, if (length == 7) { if (nibble_index == 0) { + CHECK_INPUT_BYTES(1); nibble_index = input_index; length = input[input_index] % 16; input_index += sizeof(uint8_t); @@ -286,9 +306,11 @@ ssize_t lzxpress_decompress(const uint8_t *input, } if (length == 15) { + CHECK_INPUT_BYTES(1); length = input[input_index]; input_index += sizeof(uint8_t); if (length == 255) { + CHECK_INPUT_BYTES(2); length = PULL_LE_UINT16(input, input_index); input_index += sizeof(uint16_t); length -= (15 + 7); @@ -299,10 +321,16 @@ ssize_t lzxpress_decompress(const uint8_t *input, } length += 3; + if (length == 0) { + return -1; + } - do { - if ((output_index >= max_output_size) || ((offset + 1) > output_index)) break; + if (offset >= output_index) { + return -1; +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f50987df038 winbind: directly use dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code via 19ef9c40f14 s3:rpc_client: reverse rpccli_{is_connected,set_timeout}() and rpccli_bh_{is_connected,set_timeout}() from 6a9c7859281 s3: libsmb: Cleanup - Remove the last use of a struct sockaddr_storage variable in dsgetdcname.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f50987df038846f0052d4c33bb534af9f2c79061 Author: Ralph Boehme Date: Fri Aug 7 12:07:28 2020 +0200 winbind: directly use dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code In the end we should avoid rpccli_is_connected(), rpccli_set_timeout() and the whole rpc_pipe_client concept. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Aug 8 10:59:38 UTC 2020 on sn-devel-184 commit 19ef9c40f14f91fcae6874d9f94540dd850e308b Author: Stefan Metzmacher Date: Fri Aug 7 15:57:15 2020 +0200 s3:rpc_client: reverse rpccli_{is_connected,set_timeout}() and rpccli_bh_{is_connected,set_timeout}() rpccli->transport should never be used directly, everything should go via the binding handle. Internal pipes don't have a transport, so p->transport is always NULL. rpccli_is_connected() checks this and this causes all SAMR and LSA requests for the local domain to be processed a second time by the triggered retry logic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/rpc_client/cli_pipe.c| 46 source3/winbindd/winbindd_samr.c | 3 ++- 2 files changed, 34 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 8227ef0b0bd..074d01828ad 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2158,22 +2158,16 @@ NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli, unsigned int timeout) { - unsigned int old; - - if (rpc_cli->transport == NULL) { - return RPCCLI_DEFAULT_TIMEOUT; - } - - if (rpc_cli->transport->set_timeout == NULL) { + if (rpc_cli == NULL) { return RPCCLI_DEFAULT_TIMEOUT; } - old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout); - if (old == 0) { + if (rpc_cli->binding_handle == NULL) { return RPCCLI_DEFAULT_TIMEOUT; } - return old; + return dcerpc_binding_handle_set_timeout(rpc_cli->binding_handle, +timeout); } bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli) @@ -2182,11 +2176,11 @@ bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli) return false; } - if (rpc_cli->transport == NULL) { + if (rpc_cli->binding_handle == NULL) { return false; } - return rpc_cli->transport->is_connected(rpc_cli->transport->priv); + return dcerpc_binding_handle_is_connected(rpc_cli->binding_handle); } struct rpccli_bh_state { @@ -2197,8 +2191,17 @@ static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h) { struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h, struct rpccli_bh_state); + struct rpc_cli_transport *transport = hs->rpc_cli->transport; + + if (transport == NULL) { + return false; + } + + if (transport->is_connected == NULL) { + return false; + } - return rpccli_is_connected(hs->rpc_cli); + return transport->is_connected(transport->priv); } static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h, @@ -2206,8 +2209,23 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h, { struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h, struct rpccli_bh_state); + struct rpc_cli_transport *transport = hs->rpc_cli->transport; + unsigned int old; - return rpccli_set_timeout(hs->rpc_cli, timeout); + if (transport == NULL) { + return RPCCLI_DEFAULT_TIMEOUT; + } + + if (transport->set_timeout == NULL) { + return RPCCLI_DEFAULT_TIMEOUT; + } + + old =