From efb360374912c1d8824b9bd6c09016cf42190ecb Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Feb 2013 17:11:15 +0100 Subject: [PATCH 1/7] libsmb: Fix possible null pointer dereference. Reviewed-by: Alexander Bokovoy --- source3/libsmb/libsmb_xattr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c index 03cdc34..c2ba61f 100644 --- a/source3/libsmb/libsmb_xattr.c +++ b/source3/libsmb/libsmb_xattr.c @@ -351,7 +351,7 @@ parse_ace(struct cli_state *ipc_cli, goto done; } - for (v = standard_values; v->perm; v++) { + for (v = standard_values; v != NULL; v++) { if (strcmp(tok, v->perm) == 0) { amask = v->mask; goto done; @@ -363,7 +363,7 @@ parse_ace(struct cli_state *ipc_cli, while(*p) { bool found = False; - for (v = special_values; v->perm; v++) { + for (v = special_values; v != NULL; v++) { if (v->perm[0] == *p) { amask |= v->mask; found = True; -- 1.8.1.4 From 191e9997456e16fa282acb5bef726239cf731a05 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Feb 2013 17:21:31 +0100 Subject: [PATCH 2/7] nmbd: Fix request data data processing. answers->rdata is an array and will never be NULL. Reviewed-by: Alexander Bokovoy --- source3/nmbd/nmbd_browsesync.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/nmbd/nmbd_browsesync.c b/source3/nmbd/nmbd_browsesync.c index b56baed..03d0ada 100644 --- a/source3/nmbd/nmbd_browsesync.c +++ b/source3/nmbd/nmbd_browsesync.c @@ -194,7 +194,7 @@ static void domain_master_node_status_success(struct subnet_record *subrec, /* Go through the list of names found at answers->rdata and look for the first SERVER<0x20> name. */ - if(answers->rdata != NULL) { + if (answers->rdlength > 0) { char *p = answers->rdata; int numnames = CVAL(p, 0); @@ -417,7 +417,7 @@ static void get_domain_master_name_node_status_success(struct subnet_record *sub * the first WORKGROUP<0x1b> name. */ - if(answers->rdata != NULL) { + if (answers->rdlength > 0) { char *p = answers->rdata; int numnames = CVAL(p, 0); -- 1.8.1.4 From 5597a614bc43ee425e96ff99098246942529dd8f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Feb 2013 17:30:19 +0100 Subject: [PATCH 3/7] s3-tldap: Make sure we don't deref a null pointer. Reviewed-by: Alexander Bokovoy --- source3/lib/tldap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c index 8b04d00..3782708 100644 --- a/source3/lib/tldap.c +++ b/source3/lib/tldap.c @@ -1370,6 +1370,9 @@ static bool tldap_push_filter_basic(struct tldap_context *ld, dn++; rule = strchr(dn, ':'); + if (rule == NULL) { + return false; + } if ((rule == dn + 1) || rule + 1 == e) { /* malformed filter, contains "::" */ return false; -- 1.8.1.4 From 1859f662b0078a71350ccbf9a8675f53cd9cb321 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Feb 2013 17:32:28 +0100 Subject: [PATCH 4/7] librpc: Add NULL check for ndr functions for epm bindings. Reviewed-by: Alexander Bokovoy --- librpc/rpc/binding.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c index f7fbbbc..2fa325f 100644 --- a/librpc/rpc/binding.c +++ b/librpc/rpc/binding.c @@ -424,7 +424,12 @@ _PUBLIC_ NTSTATUS dcerpc_floor_get_lhs_data(const struct epm_floor *epm_floor, static DATA_BLOB dcerpc_floor_pack_lhs_data(TALLOC_CTX *mem_ctx, const struct ndr_syntax_id *syntax) { DATA_BLOB blob; - struct ndr_push *ndr = ndr_push_init_ctx(mem_ctx); + struct ndr_push *ndr; + + ndr = ndr_push_init_ctx(mem_ctx); + if (ndr == NULL) { + return data_blob_null; + } ndr->flags |= LIBNDR_FLAG_NOALIGN; -- 1.8.1.4 From 25b160492351b6805da3205b09db183334da1690 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Feb 2013 18:00:38 +0100 Subject: [PATCH 5/7] s4-libcli: Check return code of smbcli_request_setup(). Reviewed-by: Alexander Bokovoy --- source4/libcli/raw/rawfsinfo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source4/libcli/raw/rawfsinfo.c b/source4/libcli/raw/rawfsinfo.c index 08f68dd..9c03e14 100644 --- a/source4/libcli/raw/rawfsinfo.c +++ b/source4/libcli/raw/rawfsinfo.c @@ -33,6 +33,9 @@ static struct smbcli_request *smb_raw_dskattr_send(struct smbcli_tree *tree, struct smbcli_request *req; req = smbcli_request_setup(tree, SMBdskattr, 0, 0); + if (req == NULL) { + return NULL; + } if (!smbcli_request_send(req)) { smbcli_request_destroy(req); -- 1.8.1.4 From 93f78fd01ac3c18d8a1fc8cb48075b0db26a4b32 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 19 Feb 2013 08:58:00 +0100 Subject: [PATCH 6/7] pyauth: Check return value of lpcfg_from_py_object(). Reviewed-by: Alexander Bokovoy --- source4/auth/pyauth.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c index f07fa78..437e671 100644 --- a/source4/auth/pyauth.c +++ b/source4/auth/pyauth.c @@ -245,6 +245,10 @@ static PyObject *py_auth_context_new(PyTypeObject *type, PyObject *args, PyObjec } lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } ev = s4_event_context_init(mem_ctx); if (ev == NULL) { -- 1.8.1.4 From 1d845c607fab15b62eb1e21ded54f521b14202a1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 19 Feb 2013 09:00:51 +0100 Subject: [PATCH 7/7] s4-libcli: Check return value of smbcli_request_setup(). Reviewed-by: Alexander Bokovoy --- source4/libcli/climessage.c | 9 +++++++++ source4/libcli/raw/clioplock.c | 3 +++ source4/libcli/raw/clitree.c | 3 +++ 3 files changed, 15 insertions(+) diff --git a/source4/libcli/climessage.c b/source4/libcli/climessage.c index 5ed0e8e..3e9808c 100644 --- a/source4/libcli/climessage.c +++ b/source4/libcli/climessage.c @@ -33,6 +33,9 @@ bool smbcli_message_start(struct smbcli_tree *tree, const char *host, const char struct smbcli_request *req; req = smbcli_request_setup(tree, SMBsendstrt, 0, 0); + if (req == NULL) { + return false; + } smbcli_req_append_string(req, username, STR_TERMINATE); smbcli_req_append_string(req, host, STR_TERMINATE); if (!smbcli_request_send(req) || @@ -57,6 +60,9 @@ bool smbcli_message_text(struct smbcli_tree *tree, char *msg, int len, int grp) struct smbcli_request *req; req = smbcli_request_setup(tree, SMBsendtxt, 1, 0); + if (req == NULL) { + return false; + } SSVAL(req->out.vwv, VWV(0), grp); smbcli_req_append_bytes(req, (const uint8_t *)msg, len); @@ -80,6 +86,9 @@ bool smbcli_message_end(struct smbcli_tree *tree, int grp) struct smbcli_request *req; req = smbcli_request_setup(tree, SMBsendend, 1, 0); + if (req == NULL) { + return false; + } SSVAL(req->out.vwv, VWV(0), grp); if (!smbcli_request_send(req) || diff --git a/source4/libcli/raw/clioplock.c b/source4/libcli/raw/clioplock.c index 396ab96..6c04843 100644 --- a/source4/libcli/raw/clioplock.c +++ b/source4/libcli/raw/clioplock.c @@ -30,6 +30,9 @@ _PUBLIC_ bool smbcli_oplock_ack(struct smbcli_tree *tree, uint16_t fnum, uint16_ struct smbcli_request *req; req = smbcli_request_setup(tree, SMBlockingX, 8, 0); + if (req == NULL) { + return false; + } SSVAL(req->out.vwv,VWV(0),0xFF); SSVAL(req->out.vwv,VWV(1),0); diff --git a/source4/libcli/raw/clitree.c b/source4/libcli/raw/clitree.c index 1c3321e..11be548 100644 --- a/source4/libcli/raw/clitree.c +++ b/source4/libcli/raw/clitree.c @@ -168,6 +168,9 @@ _PUBLIC_ NTSTATUS smb_tree_disconnect(struct smbcli_tree *tree) if (!tree) return NT_STATUS_OK; req = smbcli_request_setup(tree, SMBtdis, 0, 0); + if (req == NULL) { + return NT_STATUS_NO_MEMORY; + } if (smbcli_request_send(req)) { (void) smbcli_request_receive(req); -- 1.8.1.4