diff options
| author | Andrew Tridgell <tridge@samba.org> | 1998-08-31 03:11:42 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 1998-08-31 03:11:42 +0000 |
| commit | 3eade55dc7c842bdc50205c330802d211fae54d3 (patch) | |
| tree | 09bca34d4463927d2930e9e926165d378ecb870f /source/smbd | |
| parent | 7d455ee637b6ff70c95845f89d71573ca07b83f3 (diff) | |
| download | samba-3eade55dc7c842bdc50205c330802d211fae54d3.tar.gz samba-3eade55dc7c842bdc50205c330802d211fae54d3.tar.xz samba-3eade55dc7c842bdc50205c330802d211fae54d3.zip | |
bounds check next_token() to prevent possible buffer overflows
Diffstat (limited to 'source/smbd')
| -rw-r--r-- | source/smbd/chgpasswd.c | 4 | ||||
| -rw-r--r-- | source/smbd/groupname.c | 4 | ||||
| -rw-r--r-- | source/smbd/ipc.c | 26 | ||||
| -rw-r--r-- | source/smbd/password.c | 4 |
4 files changed, 19 insertions, 19 deletions
diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c index ee6a2d14f42..aebdde6d34c 100644 --- a/source/smbd/chgpasswd.c +++ b/source/smbd/chgpasswd.c @@ -262,7 +262,7 @@ static int talktochild(int master, char *chatsequence) *buf = 0; sleep(1); - while (next_token(&ptr,chatbuf,NULL)) { + while (next_token(&ptr,chatbuf,NULL,sizeof(chatbuf))) { BOOL ok=True; count++; pwd_sub(chatbuf); @@ -277,7 +277,7 @@ static int talktochild(int master, char *chatsequence) return(False); } - if (!next_token(&ptr,chatbuf,NULL)) break; + if (!next_token(&ptr,chatbuf,NULL,sizeof(chatbuf))) break; pwd_sub(chatbuf); if (!strequal(chatbuf,".")) writestring(master,chatbuf); diff --git a/source/smbd/groupname.c b/source/smbd/groupname.c index 689fdbbbd90..3183c5c83c3 100644 --- a/source/smbd/groupname.c +++ b/source/smbd/groupname.c @@ -125,10 +125,10 @@ void load_groupname_map(void) if (!*s || strchr("#;",*s)) continue; - if(!next_token(&s,unixname, "\t\n\r=")) + if(!next_token(&s,unixname, "\t\n\r=", sizeof(unixname))) continue; - if(!next_token(&s,windows_name, "\t\n\r=")) + if(!next_token(&s,windows_name, "\t\n\r=", sizeof(windows_name))) continue; trim_string(unixname, " ", " "); diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 70c2668d92e..7c0a51f7859 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -658,7 +658,7 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel, p = q; /* reset string pointer */ fgets(p,8191,f); p[strlen(p)-1]='\0'; - if (next_token(&p,tok,":") && + if (next_token(&p,tok,":",sizeof(tok)) && (strlen(lp_printerdriver(snum)) == strlen(tok)) && (!strncmp(tok,lp_printerdriver(snum),strlen(lp_printerdriver(snum))))) ok=1; @@ -666,9 +666,9 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel, fclose(f); /* driver file name */ - if (ok && !next_token(&p,driver,":")) ok = 0; + if (ok && !next_token(&p,driver,":",sizeof(driver))) ok = 0; /* data file name */ - if (ok && !next_token(&p,datafile,":")) ok = 0; + if (ok && !next_token(&p,datafile,":",sizeof(datafile))) ok = 0; /* * for the next tokens - which may be empty - I have to check for empty * tokens first because the next_token function will skip all empty @@ -679,7 +679,7 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel, if (*p == ':') { *helpfile = '\0'; p++; - } else if (!next_token(&p,helpfile,":")) ok = 0; + } else if (!next_token(&p,helpfile,":",sizeof(helpfile))) ok = 0; } if (ok) { @@ -687,11 +687,11 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel, if (*p == ':') { *langmon = '\0'; p++; - } else if (!next_token(&p,langmon,":")) ok = 0; + } else if (!next_token(&p,langmon,":",sizeof(langmon))) ok = 0; } /* default data type */ - if (ok && !next_token(&p,datatype,":")) ok = 0; + if (ok && !next_token(&p,datatype,":",sizeof(datatype))) ok = 0; if (ok) { PACKI(desc,"W",0x0400); /* don't know */ @@ -714,7 +714,7 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel, /* no need to check return value here - it was already tested in * get_printerdrivernumber */ - next_token(&p,tok,","); + next_token(&p,tok,",",sizeof(tok)); PACKS(desc,"z",tok); /* driver files to copy */ DEBUG(3,("file:%s:\n",tok)); } @@ -755,7 +755,7 @@ int get_printerdrivernumber(int snum) { p = q; /* reset string pointer */ fgets(p,8191,f); - if (next_token(&p,tok,":") && + if (next_token(&p,tok,":",sizeof(tok)) && (!strncmp(tok,lp_printerdriver(snum),strlen(lp_printerdriver(snum))))) ok=1; } @@ -771,7 +771,7 @@ int get_printerdrivernumber(int snum) return(0); /* count the number of files */ - while (next_token(&p,tok,",")) + while (next_token(&p,tok,",",sizeof(tok))) i++; } free(q); @@ -1021,10 +1021,10 @@ static int get_server_info(uint32 servertype, } s = &(*servers)[count]; - if (!next_token(&ptr,s->name , NULL)) continue; - if (!next_token(&ptr,stype , NULL)) continue; - if (!next_token(&ptr,s->comment, NULL)) continue; - if (!next_token(&ptr,s->domain , NULL)) { + if (!next_token(&ptr,s->name , NULL, sizeof(s->name))) continue; + if (!next_token(&ptr,stype , NULL, sizeof(stype))) continue; + if (!next_token(&ptr,s->comment, NULL, sizeof(s->comment))) continue; + if (!next_token(&ptr,s->domain , NULL, sizeof(s->domain))) { /* this allows us to cope with an old nmbd */ pstrcpy(s->domain,global_myworkgroup); } diff --git a/source/smbd/password.c b/source/smbd/password.c index 4ee9e8705d5..dadbcad11e0 100644 --- a/source/smbd/password.c +++ b/source/smbd/password.c @@ -934,7 +934,7 @@ struct cli_state *server_cryptkey(void) return NULL; p = lp_passwordserver(); - while(p && next_token( &p, desthost, LIST_SEP)) { + while(p && next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { standard_sub_basic(desthost); strupper(desthost); @@ -1214,7 +1214,7 @@ machine %s in domain %s.\n", global_myname, global_myworkgroup )); */ p = lp_passwordserver(); - while(p && next_token( &p, remote_machine, LIST_SEP)) { + while(p && next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { standard_sub_basic(remote_machine); strupper(remote_machine); |