From 39b2f56f2545d78f75cb8be1b18fa7f2906e70ac Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 4 Nov 2014 23:47:26 +0100 Subject: [PATCH 1/3] s3:registry/regfio read SD from the correct location try to find the security descriptor at the data pointer, not at the beginning of the hbin Bug: https://bugzilla.samba.org/show_bug.cgi?id=9629 Signed-off-by: Christian Ambach Reviewed-by: Stefan Metzmacher (cherry picked from commit 217a0189c15761f6c7b24c9d7bfdbccf85de8e1d) --- source3/registry/regfio.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index fe80094..b32bf03 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -768,8 +768,10 @@ static bool hbin_prs_sk_rec( const char *desc, REGF_HBIN *hbin, int depth, REGF_ if (!prs_copy_data_in(&hbin->ps, (const char *)blob.data, blob.length)) return False; } else { - blob = data_blob_const(prs_data_p(&hbin->ps), - prs_data_size(&hbin->ps)); + blob = data_blob_const( + prs_data_p(&hbin->ps) + prs_offset(&hbin->ps), + prs_data_size(&hbin->ps) - prs_offset(&hbin->ps) + ); status = unmarshall_sec_desc(mem_ctx, blob.data, blob.length, &sk->sec_desc); -- 1.9.1 From e3b6173be08a0d6803f9c406742cf89a5983513e Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 4 Nov 2014 23:50:07 +0100 Subject: [PATCH 2/3] s3:registry/regfio fix some valgrind warnings Signed-off-by: Christian Ambach Reviewed-by: Stefan Metzmacher (cherry picked from commit 4b41489901b7f1a78ffd479128c3e0d309e53b53) --- source3/registry/regfio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index b32bf03..e49de26 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -1741,7 +1741,7 @@ static bool create_vk_record(REGF_FILE *file, REGF_VK_REC *vk, /* make sure we don't try to copy from a NULL value pointer */ if ( vk->data_size != 0 ) - memcpy( &vk->data_off, regval_data_p(value), sizeof(uint32) ); + memcpy( &vk->data_off, regval_data_p(value), vk->data_size); vk->data_size |= VK_DATA_IN_OFFSET; } @@ -1806,7 +1806,7 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 ) REGF_HASH_REC *hash = &parent->subkeys.hashes[parent->subkey_index]; hash->nk_off = prs_offset( &nk->hbin->ps ) + nk->hbin->first_hbin_off - HBIN_HDR_SIZE; - memcpy( hash->keycheck, name, sizeof(uint32) ); + memcpy(hash->keycheck, name, MIN(strlen(name),sizeof(uint32))); hash->fullname = talloc_strdup( file->mem_ctx, name ); parent->subkey_index++; -- 1.9.1 From f1860633f2c226e6ed351581b872ebce83671329 Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 4 Nov 2014 23:51:23 +0100 Subject: [PATCH 3/3] s3:utils/profiles fix a use after free path is a talloc-child of subkeys, so subkeys should not be freed before calling verbose_output Signed-off-by: Christian Ambach Reviewed-by: Stefan Metzmacher Autobuild-User(master): Christian Ambach Autobuild-Date(master): Wed Dec 3 00:43:19 CET 2014 on sn-devel-104 (cherry picked from commit 3b90bfb1089e6a4b7e05e7ed62bb642521f57917) --- source3/utils/profiles.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c index 0f274ad..22c8f72 100644 --- a/source3/utils/profiles.c +++ b/source3/utils/profiles.c @@ -189,12 +189,12 @@ static bool copy_registry_tree( REGF_FILE *infile, REGF_NK_REC *nk, } } - /* values is a talloc()'d child of subkeys here so just throw it all away */ - - TALLOC_FREE( subkeys ); verbose_output("[%s]\n", path); + /* values is a talloc()'d child of subkeys here so just throw it all away */ + TALLOC_FREE(subkeys); + return True; } -- 1.9.1