libsmb: Fix CID 242665 Out-of-bounds access

Coverity is confused by the dual-use of "pss" as an array of size 1. This
is not strictly a bug here, but it is admittedly a small subtlety. It
should fix a whole bunch of Coverity issues. Normally I would resist to
change our code in response to a deficient static checker, but here I
would vote for this compromise.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

1 files changed, 7 insertions, 3 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 81bc028b26..3c9d03a076 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2870,6 +2870,7 @@ static struct tevent_req *cli_connect_sock_send(
 	struct tevent_req *req, *subreq;
 	struct cli_connect_sock_state *state;
 	const char *prog;
+	struct sockaddr_storage *addrs;
 	unsigned i, num_addrs;
 	NTSTATUS status;
 
@@ -2893,7 +2894,6 @@ static struct tevent_req *cli_connect_sock_send(
 	}
 
 	if ((pss == NULL) || is_zero_addr(pss)) {
-		struct sockaddr_storage *addrs;
 
 		/*
 		 * Here we cheat. resolve_name_list is not async at all. So
@@ -2907,8 +2907,12 @@ static struct tevent_req *cli_connect_sock_send(
 			tevent_req_nterror(req, status);
 			return tevent_req_post(req, ev);
 		}
-		pss = addrs;
 	} else {
+		addrs = talloc_array(state, struct sockaddr_storage, 1);
+		if (tevent_req_nomem(addrs, req)) {
+			return tevent_req_post(req, ev);
+		}
+		addrs[0] = *pss;
 		num_addrs = 1;
 	}
 
@@ -2931,7 +2935,7 @@ static struct tevent_req *cli_connect_sock_send(
 	}
 
 	subreq = smbsock_any_connect_send(
-		state, ev, pss, state->called_names, state->called_types,
+		state, ev, addrs, state->called_names, state->called_types,
 		state->calling_names, NULL, num_addrs, port);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);