From a8e5c4f519f8b3b107e8bf1b8f0348db407efef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 8 May 2018 13:46:11 +0200 Subject: [PATCH 01/15] s3-printing: fix format-truncation in print_queue_update() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/printing/printing.c: In function ‘print_queue_update’: ../source3/printing/printing.c:1809:42: error: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 244 [-Werror=format-truncation=] snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename); ^~ ~~~~~~~~~ ../source3/printing/printing.c:1809:2: note: ‘snprintf’ output between 13 and 268 bytes into a destination of size 256 snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename); BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit 6326b3415f3e225aafd5912d0965c80abcd7b22c) --- source3/printing/printing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/printing/printing.c b/source3/printing/printing.c index c6c42f3b0b1..ed5f489e461 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -1694,7 +1694,7 @@ extern pid_t background_lpq_updater_pid; static void print_queue_update(struct messaging_context *msg_ctx, int snum, bool force) { - fstring key; + char key[268]; fstring sharename; char *lpqcommand = NULL; char *lprmcommand = NULL; -- 2.17.1 From 68ca0087af87857013f583b0ab8394101a41c685 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 8 May 2018 13:54:53 +0200 Subject: [PATCH 02/15] s4-torture: fix format-truncation warning in smb2 session tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source4/torture/smb2/session.c: In function ‘test_session_reauth5’: ../source4/torture/smb2/session.c:645:36: error: ‘\file.dat’ directive output may be truncated writing 9 bytes into a region of size between 1 and 256 [-Werror=format-truncation=] snprintf(fname, sizeof(fname), "%s\\file.dat", dname); ^~~~~~~~~~ ../source4/torture/smb2/session.c:645:2: note: ‘snprintf’ output between 10 and 265 bytes into a destination of size 256 snprintf(fname, sizeof(fname), "%s\\file.dat", dname); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../source4/torture/smb2/session.c:696:38: error: ‘\file2.dat’ directive output may be truncated writing 10 bytes into a region of size between 1 and 256 [-Werror=format-truncation=] snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname); ^~~~~~~~~~~ ../source4/torture/smb2/session.c:696:2: note: ‘snprintf’ output between 11 and 266 bytes into a destination of size 256 snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit 5729898248041794ffdd0b769332e015baf12cce) --- source4/torture/smb2/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c index 22073ed0587..1a76ac77c98 100644 --- a/source4/torture/smb2/session.c +++ b/source4/torture/smb2/session.c @@ -616,7 +616,7 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; TALLOC_CTX *mem_ctx = talloc_new(tctx); - char dname[256]; + char dname[128]; char fname[256]; char fname2[256]; struct smb2_handle _dh1; -- 2.17.1 From 27b088d73228cf6400a639a988546ad47acc2330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 8 May 2018 14:13:56 +0200 Subject: [PATCH 03/15] s3-utils: fix format-truncation in smbpasswd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/utils/smbpasswd.c: In function ‘process_root’: ../source3/utils/smbpasswd.c:414:37: error: ‘$’ directive output may be truncated writing 1 byte into a region of size between 0 and 255 [-Werror=format-truncation=] slprintf(buf, sizeof(buf) - 1, "%s$", user_name); ^ In file included from ../source3/include/includes.h:23, from ../source3/utils/smbpasswd.c:19: ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 2 and 257 bytes into a destination of size 255 #define slprintf snprintf ../source3/utils/smbpasswd.c:414:3: note: in expansion of macro ‘slprintf’ slprintf(buf, sizeof(buf) - 1, "%s$", user_name); ^~~~~~~~ ../source3/utils/smbpasswd.c:397:35: error: ‘$’ directive output may be truncated writing 1 byte into a region of size between 0 and 255 [-Werror=format-truncation=] slprintf(buf, sizeof(buf)-1, "%s$", user_name); ^ In file included from ../source3/include/includes.h:23, from ../source3/utils/smbpasswd.c:19: ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 2 and 257 bytes into a destination of size 255 #define slprintf snprintf ../source3/utils/smbpasswd.c:397:3: note: in expansion of macro ‘slprintf’ slprintf(buf, sizeof(buf)-1, "%s$", user_name); ^~~~~~~~ cc1: some warnings being treated as errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider (cherry picked from commit 9b6dc8f504c406ed8a044e5becca7e8f01da6c84) --- source3/utils/smbpasswd.c | 49 +++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index fb7ad283995..88847be6432 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -368,36 +368,44 @@ static int process_root(int local_flags) if (local_flags & LOCAL_TRUST_ACCOUNT) { /* add the $ automatically */ - static fstring buf; + size_t user_name_len = strlen(user_name); - /* - * Remove any trailing '$' before we - * generate the initial machine password. - */ - - if (user_name[strlen(user_name)-1] == '$') { - user_name[strlen(user_name)-1] = 0; + if (user_name[user_name_len - 1] == '$') { + user_name_len--; + } else { + if (user_name_len + 2 > sizeof(user_name)) { + fprintf(stderr, "machine name too long\n"); + exit(1); + } + user_name[user_name_len] = '$'; + user_name[user_name_len + 1] = '\0'; } if (local_flags & LOCAL_ADD_USER) { SAFE_FREE(new_passwd); - new_passwd = smb_xstrdup(user_name); + + /* + * Remove any trailing '$' before we + * generate the initial machine password. + */ + new_passwd = smb_xstrndup(user_name, user_name_len); if (!strlower_m(new_passwd)) { fprintf(stderr, "strlower_m %s failed\n", new_passwd); exit(1); } } - - /* - * Now ensure the username ends in '$' for - * the machine add. - */ - - slprintf(buf, sizeof(buf)-1, "%s$", user_name); - strlcpy(user_name, buf, sizeof(user_name)); } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) { - static fstring buf; + size_t user_name_len = strlen(user_name); + + if (user_name[user_name_len - 1] != '$') { + if (user_name_len + 2 > sizeof(user_name)) { + fprintf(stderr, "machine name too long\n"); + exit(1); + } + user_name[user_name_len] = '$'; + user_name[user_name_len + 1] = '\0'; + } if ((local_flags & LOCAL_ADD_USER) && (new_passwd == NULL)) { /* @@ -409,11 +417,6 @@ static int process_root(int local_flags) exit(1); } } - - /* prepare uppercased and '$' terminated username */ - slprintf(buf, sizeof(buf) - 1, "%s$", user_name); - strlcpy(user_name, buf, sizeof(user_name)); - } else { if (remote_machine != NULL) { -- 2.17.1 From d998f9bc06fadd7e5efe8cef7e1fec32adffca52 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 May 2018 17:35:45 +0200 Subject: [PATCH 04/15] s4:torture: Use strlcpy() in gen_name() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source4/torture/basic/mangle_test.c: In function ‘gen_name’: ../source4/torture/basic/mangle_test.c:148:3: error: ‘strncpy’ output truncated before terminating nul copying 5 bytes from a string of the same length [-Werror=stringop-truncation] strncpy(p, "ABCDE", 5); ^~~~~~~~~~~~~~~~~~~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 7a00d90d668f53914ffe035c41a5e79e60b51521) --- source4/torture/basic/mangle_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/torture/basic/mangle_test.c b/source4/torture/basic/mangle_test.c index 0b7d696e677..df12b3ce821 100644 --- a/source4/torture/basic/mangle_test.c +++ b/source4/torture/basic/mangle_test.c @@ -145,7 +145,7 @@ static char *gen_name(TALLOC_CTX *mem_ctx) /* and a medium probability of a common lead string */ if ((len > 5) && (random() % 10 == 0)) { - strncpy(p, "ABCDE", 5); + strlcpy(p, "ABCDE", 6); } /* and a high probability of a good extension length */ -- 2.17.1 From 41030b6a0878532d9374b262339d78dbf2708e00 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 May 2018 17:29:39 +0200 Subject: [PATCH 05/15] s3:lib: Use memcpy() in escape_ldap_string() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/lib/ldap_escape.c: In function ‘escape_ldap_string’: ../source3/lib/ldap_escape.c:79:4: error: ‘strncpy’ output truncated before terminating nul copying 3 bytes from a string of the same length [-Werror=stringop-truncation] strncpy (p, sub, 3); ^~~~~~~~~~~~~~~~~~~ We concatenat and do not care about NUL-termination till the loop has finished. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit ff7568daaeb19ff30f47f7f600ead247eaf4e826) --- source3/lib/ldap_escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/lib/ldap_escape.c b/source3/lib/ldap_escape.c index fa75dabcae6..0d2b8f5fe01 100644 --- a/source3/lib/ldap_escape.c +++ b/source3/lib/ldap_escape.c @@ -76,7 +76,7 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s) output = tmp; p = &output[i]; - strncpy (p, sub, 3); + memcpy(p, sub, 3); p += 3; i += 3; -- 2.17.1 From c8c7274ff857c6bc84c76114bb6ec54e60c1d1b1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 May 2018 18:05:01 +0200 Subject: [PATCH 06/15] s3:passdb: Fix size of ascii_p16 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/passdb/pdb_smbpasswd.c: In function ‘mod_smbfilepwd_entry’: ../source3/passdb/pdb_smbpasswd.c:1015:7: error: ‘:LCT-’ directive output may be truncated writing 5 bytes into a region of size between 0 and 255 [-Werror=format-truncat ion=] "%s:LCT-%08X:", ^~~~~ ../source3/passdb/pdb_smbpasswd.c:1015:4: note: using the range [0, 4294967295] for directive argument "%s:LCT-%08X:", ^~~~~~~~~~~~~~ In file included from ../source3/include/includes.h:23, from ../source3/passdb/pdb_smbpasswd.c:23: ../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 15 and 270 bytes into a destination of size 255 #define slprintf snprintf ../source3/passdb/pdb_smbpasswd.c:1013:3: note: in expansion of macro ‘slprintf’ slprintf(&ascii_p16[strlen(ascii_p16)], ^~~~~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 728297ca889b39ce2006778bf6a5bf1c3ce82d6d) --- source3/passdb/pdb_smbpasswd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 9c381471dda..ec184caf3db 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -741,7 +741,7 @@ static bool mod_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, con char linebuf[LINEBUF_SIZE + 1]; char readbuf[1024]; int c; - fstring ascii_p16; + char ascii_p16[FSTRING_LEN + 20]; fstring encode_bits; unsigned char *p = NULL; size_t linebuf_len = 0; -- 2.17.1 From e51c8096338428cf582232740f89ed24fa45df19 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 May 2018 17:52:19 +0200 Subject: [PATCH 07/15] lib:util: Fix parameter aliasing in tfork test ../lib/util/tests/tfork.c:483:24: error: passing argument 1 to restrict-qualified parameter aliases with argument 4 [-Werror=restrict] ret = pthread_create(&threads[i], ^~~~~~~~~~~ ../lib/util/tests/tfork.c:486:10: (void *)&threads[i]); ~~~~~~~~~~~~~~~~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 6f06a0154f5769cb85f6e189eecd78cd7805090a) --- lib/util/tests/tfork.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/util/tests/tfork.c b/lib/util/tests/tfork.c index 9bcdc2f3d6d..3c73355b3f0 100644 --- a/lib/util/tests/tfork.c +++ b/lib/util/tests/tfork.c @@ -417,8 +417,7 @@ static void *tfork_thread(void *p) struct tfork *t = NULL; int status; pid_t child; - pthread_t *ptid = (pthread_t *)p; - uint64_t tid; + uint64_t tid = (uint64_t)pthread_self(); uint64_t *result = NULL; int up[2]; ssize_t nread; @@ -429,8 +428,6 @@ static void *tfork_thread(void *p) pthread_exit(NULL); } - tid = (uint64_t)*ptid; - t = tfork_create(); if (t == NULL) { pthread_exit(NULL); @@ -480,7 +477,7 @@ static bool test_tfork_threads(struct torture_context *tctx) #endif for (i = 0; i < num_threads; i++) { - ret = pthread_create(&threads[i], NULL, tfork_thread, &threads[i]); + ret = pthread_create(&threads[i], NULL, tfork_thread, NULL); torture_assert_goto(tctx, ret == 0, ok, done, "pthread_create failed\n"); } -- 2.17.1 From e5cea6342fb5242075fb2f4747e94192649fc125 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 15 May 2018 17:55:22 +0200 Subject: [PATCH 08/15] s4:ntvfs: Fix string copy of share_name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source4/ntvfs/ipc/rap_server.c:70:3: error: ‘strncpy’ specified bound 13 equals destination size [-Werror=stringop-truncation] strncpy((char *)r->out.info[j].info1.share_name, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ snames[i], ~~~~~~~~~~ sizeof(r->out.info[0].info1.share_name)); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 609ef35c12900bbd5ecaa557f7b5d71b5784a103) --- source4/ntvfs/ipc/rap_server.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/source4/ntvfs/ipc/rap_server.c b/source4/ntvfs/ipc/rap_server.c index 3a133f568da..fc2d3aa611d 100644 --- a/source4/ntvfs/ipc/rap_server.c +++ b/source4/ntvfs/ipc/rap_server.c @@ -63,13 +63,18 @@ NTSTATUS rap_netshareenum(TALLOC_CTX *mem_ctx, union rap_share_info, r->out.available); for (i = 0, j = 0; i < r->out.available; i++) { + size_t sname_len; + if (!NT_STATUS_IS_OK(share_get_config(mem_ctx, sctx, snames[i], &scfg))) { DEBUG(3, ("WARNING: Service [%s] disappeared after enumeration!\n", snames[i])); continue; } - strncpy((char *)r->out.info[j].info1.share_name, + /* Make sure we have NUL-termination */ + sname_len = MIN(strlen(snames[i]), + sizeof(r->out.info[j].info1.share_name)); + strlcpy((char *)r->out.info[j].info1.share_name, snames[i], - sizeof(r->out.info[0].info1.share_name)); + sname_len); r->out.info[i].info1.reserved1 = 0; r->out.info[i].info1.share_type = dcesrv_common_get_share_type(mem_ctx, NULL, scfg); r->out.info[i].info1.comment = share_string_option(mem_ctx, scfg, SHARE_COMMENT, ""); -- 2.17.1 From dd116c11d98060468cb52d30782241557eaaa402 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 16 May 2018 13:59:55 +0200 Subject: [PATCH 09/15] lib: Fix array size in audit_logging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../lib/audit_logging/audit_logging.c: In function ‘json_add_timestamp’: ../lib/audit_logging/audit_logging.c:603:12: error: ‘%s’ directive output may be truncated writing up to 9 bytes into a region of size between 0 and 43 [-Werror=format-truncation=] "%s.%06ld%s", ^~ ../lib/audit_logging/audit_logging.c:606:3: tz); ~~ ../lib/audit_logging/audit_logging.c:600:2: note: ‘snprintf’ output between 8 and 70 bytes into a destination of size 50 snprintf( ^~~~~~~~~ timestamp, ~~~~~~~~~~ sizeof(timestamp), ~~~~~~~~~~~~~~~~~~ "%s.%06ld%s", ~~~~~~~~~~~~~ buffer, ~~~~~~~ tv.tv_usec, ~~~~~~~~~~~ tz); ~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 8b7c8eb3907e2123acee67949e88c26072afc81a) --- auth/auth_log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/auth_log.c b/auth/auth_log.c index d4c6c445bed..72d8f818396 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -350,7 +350,7 @@ static void add_version(struct json_context *context, int major, int minor) static void add_timestamp(struct json_context *context) { char buffer[40]; /* formatted time less usec and timezone */ - char timestamp[50]; /* the formatted ISO 8601 time stamp */ + char timestamp[65]; /* the formatted ISO 8601 time stamp */ char tz[10]; /* formatted time zone */ struct tm* tm_info; /* current local time */ struct timeval tv; /* current system time */ -- 2.17.1 From 139731e221f0b69c69cda4bb75f519bb76a04f82 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 13 Jun 2018 17:56:59 +0200 Subject: [PATCH 10/15] s3:libnet: Fix format-truncation warning in samsync_ldif MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit error: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 250 [-Werror=format-truncation=] snprintf(homedir, sizeof(homedir), "/home/%s", username); ^~ ~~~~~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner --- source3/libnet/libnet_samsync_ldif.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/libnet/libnet_samsync_ldif.c b/source3/libnet/libnet_samsync_ldif.c index 170231636e0..e45a755a027 100644 --- a/source3/libnet/libnet_samsync_ldif.c +++ b/source3/libnet/libnet_samsync_ldif.c @@ -646,7 +646,8 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx, const char *suffix, int alloced) { - fstring username, logonscript, homedrive, homepath = "", homedir = ""; + fstring username, logonscript, homedrive, homepath = ""; + char homedir[262] = {0}; fstring hex_nt_passwd, hex_lm_passwd; fstring description, profilepath, fullname, sambaSID; char *flags, *user_rdn; -- 2.17.1 From 25f8924e8511aa6490f3a49c73f945f3bda27366 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 8 May 2018 11:18:56 +0200 Subject: [PATCH 11/15] s3-winbindd: use fill_domain_username_talloc() in winbind. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit 3c6481d75cea175d0a69988577163efb40e2316b) --- source3/winbindd/wb_getpwsid.c | 15 ++++++++++++--- source3/winbindd/wb_query_user_list.c | 9 ++++++--- source3/winbindd/winbindd_group.c | 12 ++++++++---- source3/winbindd/winbindd_list_groups.c | 14 ++++++++++---- source3/winbindd/winbindd_pam.c | 13 ++++++++++--- 5 files changed, 46 insertions(+), 17 deletions(-) diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c index 0e5835598eb..0595034123c 100644 --- a/source3/winbindd/wb_getpwsid.c +++ b/source3/winbindd/wb_getpwsid.c @@ -63,7 +63,8 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) req, struct wb_getpwsid_state); struct winbindd_pw *pw = state->pw; struct wbint_userinfo *info; - fstring acct_name, output_username; + fstring acct_name; + const char *output_username = NULL; char *mapped_name = NULL; char *tmp; NTSTATUS status; @@ -95,16 +96,24 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) acct_name, &mapped_name); if (NT_STATUS_IS_OK(status)) { - fill_domain_username(output_username, + output_username = fill_domain_username_talloc(state, info->domain_name, mapped_name, true); + if (output_username == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_MEMORY); + return; + } fstrcpy(acct_name, mapped_name); } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { fstrcpy(acct_name, mapped_name); } else { - fill_domain_username(output_username, + output_username = fill_domain_username_talloc(state, info->domain_name, acct_name, true); + if (output_username == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_MEMORY); + return; + } } strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name)); diff --git a/source3/winbindd/wb_query_user_list.c b/source3/winbindd/wb_query_user_list.c index 3c18080e847..6d699875e9b 100644 --- a/source3/winbindd/wb_query_user_list.c +++ b/source3/winbindd/wb_query_user_list.c @@ -104,11 +104,14 @@ static void wb_query_user_list_done(struct tevent_req *subreq) for (i=0; inames.num_principals; i++) { struct wbint_Principal *p = &state->names.principals[i]; - fstring name; + const char *name; int ret; - fill_domain_username(name, state->domain_name, p->name, true); - + name = fill_domain_username_talloc(state, state->domain_name, p->name, true); + if (name == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_MEMORY); + return; + } ret = strv_add(state, &state->users, name); if (ret != 0) { tevent_req_nterror(req, map_nt_error_from_unix(ret)); diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index ec95bf404a2..098d2f69113 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -33,7 +33,7 @@ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr, const char *dom_name, const char *gr_name, gid_t unix_gid) { - fstring full_group_name; + const char *full_group_name; char *mapped_name = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; @@ -42,19 +42,23 @@ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr, /* Basic whitespace replacement */ if (NT_STATUS_IS_OK(nt_status)) { - fill_domain_username(full_group_name, dom_name, + full_group_name = fill_domain_username_talloc(mem_ctx, dom_name, mapped_name, true); } /* Mapped to an aliase */ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED)) { - fstrcpy(full_group_name, mapped_name); + full_group_name = mapped_name; } /* no change */ else { - fill_domain_username( full_group_name, dom_name, + full_group_name = fill_domain_username_talloc(mem_ctx, dom_name, gr_name, True ); } + if (full_group_name == NULL) { + return false; + } + gr->gr_gid = unix_gid; /* Group name and password */ diff --git a/source3/winbindd/winbindd_list_groups.c b/source3/winbindd/winbindd_list_groups.c index 3b5c9dd60e7..03caef3ba96 100644 --- a/source3/winbindd/winbindd_list_groups.c +++ b/source3/winbindd/winbindd_list_groups.c @@ -166,10 +166,13 @@ NTSTATUS winbindd_list_groups_recv(struct tevent_req *req, struct winbindd_list_groups_domstate *d = &state->domains[i]; for (j=0; jgroups.num_principals; j++) { - fstring name; - fill_domain_username(name, d->domain->name, + const char *name; + name = fill_domain_username_talloc(response, d->domain->name, d->groups.principals[j].name, True); + if (name == NULL) { + return NT_STATUS_NO_MEMORY; + } len += strlen(name)+1; } response->data.num_entries += d->groups.num_principals; @@ -185,11 +188,14 @@ NTSTATUS winbindd_list_groups_recv(struct tevent_req *req, struct winbindd_list_groups_domstate *d = &state->domains[i]; for (j=0; jgroups.num_principals; j++) { - fstring name; + const char *name; size_t this_len; - fill_domain_username(name, d->domain->name, + name = fill_domain_username_talloc(response, d->domain->name, d->groups.principals[j].name, True); + if (name == NULL) { + return NT_STATUS_NO_MEMORY; + } this_len = strlen(name); memcpy(result+len, name, this_len); len += this_len; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 8abd8f07e02..7660793fa66 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -159,7 +159,7 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx, /* We've been asked to return the unix username, per 'winbind use default domain' settings and the like */ - const char *nt_username, *nt_domain; + const char *nt_username, *nt_domain, *unix_username; nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string); if (!nt_domain) { @@ -175,8 +175,15 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx, nt_username = name_user; } - fill_domain_username(resp->data.auth.unix_username, - nt_domain, nt_username, true); + unix_username = fill_domain_username_talloc(mem_ctx, + nt_domain, + nt_username, + true); + if (unix_username == NULL) { + return NT_STATUS_NO_MEMORY; + } + + fstrcpy(resp->data.auth.unix_username, unix_username); DEBUG(5, ("Setting unix username to [%s]\n", resp->data.auth.unix_username)); -- 2.17.1 From f6eb3555ab50235d94d1a9f35d50f3a288576a8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 8 May 2018 11:19:42 +0200 Subject: [PATCH 12/15] s3-winbindd: remove unused fill_domain_username() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit b24d4eb7afad82afc3a9bab65e1d799edc4b5172) --- source3/winbindd/winbindd_proto.h | 1 - source3/winbindd/winbindd_util.c | 20 -------------------- 2 files changed, 21 deletions(-) diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 25fae5fe939..3ff9121f348 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -488,7 +488,6 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user); bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, char **domain, char **user); bool canonicalize_username(fstring username_inout, fstring domain, fstring user); -void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); char *fill_domain_username_talloc(TALLOC_CTX *ctx, const char *domain, const char *user, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 2db8eaaf8ab..fbacf3ee99b 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1190,26 +1190,6 @@ bool canonicalize_username(fstring username_inout, fstring domain, fstring user) We always canonicalize as UPPERCASE DOMAIN, lowercase username. */ -void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume) -{ - fstring tmp_user; - - if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { - can_assume = false; - } - - fstrcpy(tmp_user, user); - (void)strlower_m(tmp_user); - - if (can_assume && assume_domain(domain)) { - strlcpy(name, tmp_user, sizeof(fstring)); - } else { - slprintf(name, sizeof(fstring) - 1, "%s%c%s", - domain, *lp_winbind_separator(), - tmp_user); - } -} - /** * talloc version of fill_domain_username() * return NULL on talloc failure. -- 2.17.1 From c76be5a7bba9b13ee936be70ac20525d879fd19d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Jun 2018 10:24:06 +0200 Subject: [PATCH 13/15] samdb: Fix build error with gcc8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source4/dsdb/samdb/ldb_modules/samldb.c: In function ‘samldb_add’: ../source4/dsdb/samdb/ldb_modules/samldb.c:424:6: error: ‘found’ may be used uninitialized in this function [-Werror=maybe-uninitialized] if (found) { ^ ../source4/dsdb/samdb/ldb_modules/samldb.c:348:11: note: ‘found’ was declared here bool ok, found; ^~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 76828876faa3cd463023e323983df0be597c7361) --- source4/dsdb/samdb/ldb_modules/samldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 11da629f4ec..734d0be26a9 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -345,7 +345,7 @@ static int samldb_generate_next_linkid(struct samldb_ctx *ac, static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) { int ret; - bool ok, found; + bool ok, found = false; struct ldb_message_element *el; const char *enc_str; const struct dsdb_attribute *attr; -- 2.17.1 From 27c0c25617bab4f02b7111b2d5fccb9d6df02525 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Jun 2018 10:34:27 +0200 Subject: [PATCH 14/15] s3:registry: Fix buffer truncation issues issues with gcc8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/registry/reg_perfcount.c: In function ‘reg_perfcount_get_hkpd’: ../source3/registry/reg_perfcount.c:337:29: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] snprintf(buf, buflen,"%d%s", key_part1, key_part2); BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 29f6842ee86b768f3677b38c5640655e312c398e) --- source3/registry/reg_perfcount.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/source3/registry/reg_perfcount.c b/source3/registry/reg_perfcount.c index a8f76ac66b2..db4451ecdeb 100644 --- a/source3/registry/reg_perfcount.c +++ b/source3/registry/reg_perfcount.c @@ -166,13 +166,12 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb, uint32_t buffer_size) { TDB_DATA kbuf, dbuf; - char temp[256]; + char temp[PERFCOUNT_MAX_LEN] = {0}; char *buf1 = *retbuf; uint32_t working_size = 0; DATA_BLOB name_index, name; bool ok; - memset(temp, 0, sizeof(temp)); snprintf(temp, sizeof(temp), "%d", keyval); kbuf = string_tdb_data(temp); dbuf = tdb_fetch(tdb, kbuf); @@ -709,13 +708,13 @@ static bool _reg_perfcount_get_instance_info(struct PERF_INSTANCE_DEFINITION *in TDB_CONTEXT *names) { TDB_DATA key, data; - char buf[PERFCOUNT_MAX_LEN], temp[PERFCOUNT_MAX_LEN]; + char buf[PERFCOUNT_MAX_LEN] = {0}; + char temp[32] = {0}; smb_ucs2_t *name = NULL; int pad; /* First grab the instance data from the data file */ - memset(temp, 0, PERFCOUNT_MAX_LEN); - snprintf(temp, PERFCOUNT_MAX_LEN, "i%d", instId); + snprintf(temp, sizeof(temp), "i%d", instId); _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp); if (!_reg_perfcount_get_counter_data(key, &data)) { DEBUG(3, ("_reg_perfcount_get_counter_data failed\n")); @@ -739,8 +738,7 @@ static bool _reg_perfcount_get_instance_info(struct PERF_INSTANCE_DEFINITION *in SAFE_FREE(data.dptr); /* Fetch instance name */ - memset(temp, 0, PERFCOUNT_MAX_LEN); - snprintf(temp, PERFCOUNT_MAX_LEN, "i%dname", instId); + snprintf(temp, sizeof(temp), "i%dname", instId); _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp); data = tdb_fetch(names, key); if(data.dptr == NULL) -- 2.17.1 From 1124711ae66002b7a101a46f50ed2866efba0e9d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Jun 2018 10:43:53 +0200 Subject: [PATCH 15/15] s3:smbget: Fix buffer truncation issues with gcc8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../source3/utils/smbget.c: In function ‘smb_download_file’: ../source3/utils/smbget.c:97:27: error: ‘b’ directive output may be truncated writing 1 byte into a region of size between 0 and 19 [-Werror=format-truncation=] snprintf(buffer, l, "%jdb", (intmax_t)s); ^ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 4a3164e0beea35c1f4ce44fbe43547f7104587d1) --- source3/utils/smbget.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c index d2d5e00a8ed..e1be42917fb 100644 --- a/source3/utils/smbget.c +++ b/source3/utils/smbget.c @@ -288,7 +288,7 @@ static void print_progress(const char *name, time_t start, time_t now, double avg = 0.0; long eta = -1; double prcnt = 0.0; - char hpos[20], htotal[20], havg[20]; + char hpos[22], htotal[22], havg[22]; char *status, *filename; int len; if (now - start) { -- 2.17.1