diff options
author | Jeremy Allison <jra@samba.org> | 2004-12-07 18:25:53 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:32 -0500 |
commit | 620f2e608f70ba92f032720c031283d295c5c06a (patch) | |
tree | ec3dd5fcf29eaa98a26ddeae3acb7a89fd0e0fb8 /source/smbd/nttrans.c | |
parent | 12440744ba36445186042c8c254785766cce5385 (diff) | |
download | samba-620f2e608f70ba92f032720c031283d295c5c06a.tar.gz samba-620f2e608f70ba92f032720c031283d295c5c06a.tar.xz samba-620f2e608f70ba92f032720c031283d295c5c06a.zip |
r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
Diffstat (limited to 'source/smbd/nttrans.c')
-rw-r--r-- | source/smbd/nttrans.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index 42953a1b7a1..2395d0d8db5 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -58,11 +58,12 @@ static char *nttrans_realloc(char **ptr, size_t size) if (ptr==NULL) smb_panic("nttrans_realloc() called with NULL ptr\n"); - tptr = Realloc_zero(*ptr, size); + tptr = SMB_REALLOC(*ptr, size); if(tptr == NULL) { *ptr = NULL; return NULL; } + memset(tptr,'\0',size); *ptr = tptr; @@ -2139,7 +2140,7 @@ static int call_nt_transact_ioctl(connection_struct *conn, char *inbuf, char *ou return ERROR_NT(NT_STATUS_NO_MEMORY); } - shadow_data = (SHADOW_COPY_DATA *)talloc_zero(shadow_mem_ctx,sizeof(SHADOW_COPY_DATA)); + shadow_data = TALLOC_ZERO_P(shadow_mem_ctx,SHADOW_COPY_DATA); if (shadow_data == NULL) { DEBUG(0,("talloc_zero() failed!\n")); return ERROR_NT(NT_STATUS_NO_MEMORY); @@ -2449,6 +2450,10 @@ static int call_nt_transact_get_user_quota(connection_struct *conn, char *inbuf, } sid_len = IVAL(pdata,4); + /* Ensure this is less than 1mb. */ + if (sid_len > (1024*1024)) { + return ERROR_DOS(ERRDOS,ERRnomem); + } if (data_count < 8+sid_len) { DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len))); @@ -2703,15 +2708,21 @@ due to being in oplock break state.\n", (unsigned int)function_code )); CVAL(inbuf, smb_wct), 19 + (setup_count/2))); goto bad_param; } - + + /* Don't allow more than 128mb for each value. */ + if ((total_parameter_count > (1024*1024*128)) || (total_data_count > (1024*1024*128))) { + END_PROFILE(SMBnttrans); + return ERROR_DOS(ERRDOS,ERRnomem); + } + /* Allocate the space for the setup, the maximum needed parameters and data */ if(setup_count > 0) - setup = (char *)malloc(setup_count); + setup = (char *)SMB_MALLOC(setup_count); if (total_parameter_count > 0) - params = (char *)malloc(total_parameter_count); + params = (char *)SMB_MALLOC(total_parameter_count); if (total_data_count > 0) - data = (char *)malloc(total_data_count); + data = (char *)SMB_MALLOC(total_data_count); if ((total_parameter_count && !params) || (total_data_count && !data) || (setup_count && !setup)) { |