diff options
55 files changed, 755 insertions, 538 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2143a8868ed..82efca45e38 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,6 +1,6 @@ ================================= Release Notes for Samba 3.0.23rc3 - Jun 19, 2006 + Jun XX, 2006 ================================= This is the third release candidate of the 3.0.23 code base and is @@ -57,6 +57,7 @@ o Guenther Deschner <gd@samba.org> * BUG 3843: Allow to set passwords directly when creating users via "net rpc user add" * Add "rpc shell" to the usage text for the net command. + * Winbindd user aliases lookup fixes for large domains. o Bjoern Jacke <samba@j3e.de>. @@ -69,6 +70,13 @@ o Volker Lendecke <vl@samba.org> * Fixes for various Coverity defect reports. + +o Derrell Lipman <derrell@samba.org> + [libsmbclient] + * BUG 3814: Only set the DFS capability flag in client requests + if the share is a DFS root. + + o Jason Mader <jason@ncac.gwu.edu> * Compiler warning fixes. diff --git a/source/Makefile.in b/source/Makefile.in index f1cf71406f9..bba29456133 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -1600,7 +1600,7 @@ clean: delheaders python_clean $(TOPFILES) $(BIN_PROGS) $(SBIN_PROGS) $(ROOT_SBIN_PROGS) \ $(MODULES) $(TORTURE_PROGS) $(LIBSMBCLIENT) \ $(LIBSMBSHAREMODES) $(EVERYTHING_PROGS) $(LIBMSRPC) \ - .headers.stamp + .headers.stamp */src/*.o */src/*.@PICSUFFIX@ -rm -rf t_dir # Making this target will just make sure that the prototype files diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c index 23a74d34fad..ac98b992bb2 100755 --- a/source/client/mount.cifs.c +++ b/source/client/mount.cifs.c @@ -259,6 +259,11 @@ static int get_password_from_file(int file_descript, char * filename) else memset(mountpassword, 0, 64); + if (mountpassword == NULL) { + printf("malloc failed\n"); + exit(1); + } + if(filename != NULL) { file_descript = open(filename, O_RDONLY); if(file_descript < 0) { diff --git a/source/lib/debug.c b/source/lib/debug.c index b8c42686cdb..2b6c42b8eb0 100644 --- a/source/lib/debug.c +++ b/source/lib/debug.c @@ -513,6 +513,11 @@ static void debuglevel_message(int msg_type, struct process_id src, { char *message = debug_list_class_names_and_levels(); + if (!message) { + DEBUG(0,("debuglevel_message - debug_list_class_names_and_levels returned NULL\n")); + return; + } + DEBUG(1,("INFO: Received REQ_DEBUGLEVEL message from PID %u\n", (unsigned int)procid_to_pid(&src))); message_send_pid(src, MSG_DEBUGLEVEL, message, strlen(message) + 1, True); diff --git a/source/lib/messages.c b/source/lib/messages.c index cd2a3b36b6e..dd6d4137d7b 100644 --- a/source/lib/messages.c +++ b/source/lib/messages.c @@ -105,6 +105,7 @@ static void ping_message(int msg_type, struct process_id src, void *buf, size_t len) { const char *msg = buf ? buf : "none"; + DEBUG(1,("INFO: Received PING message from PID %s [%s]\n", procid_str_static(&src), msg)); message_send_pid(src, MSG_PONG, buf, len, True); @@ -198,6 +199,11 @@ static BOOL message_send_pid_internal(struct process_id pid, int msg_type, char *ptr; struct message_rec prec; + /* NULL pointer means implicit length zero. */ + if (!buf) { + SMB_ASSERT(len == 0); + } + /* * Doing kill with a non-positive pid causes messages to be * sent to places we don't want. @@ -209,7 +215,7 @@ static BOOL message_send_pid_internal(struct process_id pid, int msg_type, rec.msg_type = msg_type; rec.dest = pid; rec.src = procid_self(); - rec.len = len; + rec.len = buf ? len : 0; kbuf = message_key_pid(pid); @@ -218,7 +224,7 @@ static BOOL message_send_pid_internal(struct process_id pid, int msg_type, return False; memcpy(dbuf.dptr, &rec, sizeof(rec)); - if (len > 0) + if (len > 0 && buf) memcpy((void *)((char*)dbuf.dptr+sizeof(rec)), buf, len); dbuf.dsize = len + sizeof(rec); diff --git a/source/lib/privileges.c b/source/lib/privileges.c index d77d7857d72..d19592e5826 100644 --- a/source/lib/privileges.c +++ b/source/lib/privileges.c @@ -530,6 +530,10 @@ NTSTATUS privilege_enumerate_accounts(DOM_SID **sids, int *num_sids) TDB_CONTEXT *tdb = get_account_pol_tdb(); PRIV_SID_LIST priv; + if (!tdb) { + return NT_STATUS_ACCESS_DENIED; + } + ZERO_STRUCT(priv); se_priv_copy( &priv.privilege, &se_priv_none ); diff --git a/source/lib/util.c b/source/lib/util.c index d705901244a..a1efecfbbba 100644 --- a/source/lib/util.c +++ b/source/lib/util.c @@ -2845,9 +2845,6 @@ void *talloc_check_name_abort(const void *ptr, const char *name) { void *result; - if (ptr == NULL) - return NULL; - result = talloc_check_name(ptr, name); if (result != NULL) return result; diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c index 307f3e3415d..09fe30f81bb 100644 --- a/source/lib/util_sid.c +++ b/source/lib/util_sid.c @@ -647,6 +647,25 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) return; } +void add_rid_to_array_unique(TALLOC_CTX *mem_ctx, + uint32 rid, uint32 **pp_rids, size_t *p_num) +{ + size_t i; + + for (i=0; i<*p_num; i++) { + if ((*pp_rids)[i] == rid) + return; + } + + *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1); + + if (*pp_rids == NULL) + return; + + (*pp_rids)[*p_num] = rid; + *p_num += 1; +} + BOOL is_null_sid(const DOM_SID *sid) { static const DOM_SID null_sid = {0}; diff --git a/source/lib/util_str.c b/source/lib/util_str.c index df84fa90a56..6fe1668e880 100644 --- a/source/lib/util_str.c +++ b/source/lib/util_str.c @@ -2250,15 +2250,21 @@ SMB_BIG_UINT STR_TO_SMB_BIG_UINT(const char *nptr, const char **entptr) SMB_BIG_UINT val = -1; const char *p = nptr; - while (p && *p && isspace(*p)) + if (!p) { + *entptr = p; + return val; + } + + while (*p && isspace(*p)) p++; + #ifdef LARGE_SMB_OFF_T sscanf(p,"%llu",&val); #else /* LARGE_SMB_OFF_T */ sscanf(p,"%lu",&val); #endif /* LARGE_SMB_OFF_T */ if (entptr) { - while (p && *p && isdigit(*p)) + while (*p && isdigit(*p)) p++; *entptr = p; } diff --git a/source/libsmb/clidfs.c b/source/libsmb/clidfs.c index 298f4d1b548..e564bc42957 100644 --- a/source/libsmb/clidfs.c +++ b/source/libsmb/clidfs.c @@ -652,9 +652,12 @@ BOOL cli_resolve_path( const char *mountpt, struct cli_state *rootcli, const cha fullpath[consumed/2] = '\0'; dos_clean_name( fullpath ); - ppath = strchr_m( fullpath, '\\' ); - ppath = strchr_m( ppath+1, '\\' ); - ppath = strchr_m( ppath+1, '\\' ); + if ((ppath = strchr_m( fullpath, '\\' )) == NULL) + return False; + if ((ppath = strchr_m( ppath+1, '\\' )) == NULL) + return False; + if ((ppath = strchr_m( ppath+1, '\\' )) == NULL) + return False; ppath++; pstr_sprintf( newmount, "%s\\%s", mountpt, ppath ); diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c index 83664b0b328..f5116234c83 100644 --- a/source/libsmb/clientgen.c +++ b/source/libsmb/clientgen.c @@ -198,7 +198,7 @@ void cli_setup_packet(struct cli_state *cli) flags2 = FLAGS2_LONG_PATH_COMPONENTS; if (cli->capabilities & CAP_UNICODE) flags2 |= FLAGS2_UNICODE_STRINGS; - if (cli->capabilities & CAP_DFS) + if ((cli->capabilities & CAP_DFS) && cli->dfsroot) flags2 |= FLAGS2_DFS_PATHNAMES; if (cli->capabilities & CAP_STATUS32) flags2 |= FLAGS2_32_BIT_ERROR_CODES; diff --git a/source/libsmb/libsmb_compat.c b/source/libsmb/libsmb_compat.c index 5699e153bbd..cfd5948e269 100644 --- a/source/libsmb/libsmb_compat.c +++ b/source/libsmb/libsmb_compat.c @@ -341,6 +341,10 @@ int smbc_fsetxattr(int fd, int flags) { SMBCFILE * file = find_fd(fd); + if (file == NULL) { + errno = EBADF; + return -1; + } return statcont->setxattr(statcont, file->fname, name, value, size, flags); } @@ -367,6 +371,10 @@ int smbc_fgetxattr(int fd, size_t size) { SMBCFILE * file = find_fd(fd); + if (file == NULL) { + errno = EBADF; + return -1; + } return statcont->getxattr(statcont, file->fname, name, value, size); } @@ -386,6 +394,10 @@ int smbc_fremovexattr(int fd, const char *name) { SMBCFILE * file = find_fd(fd); + if (file == NULL) { + errno = EBADF; + return -1; + } return statcont->removexattr(statcont, file->fname, name); } @@ -408,6 +420,10 @@ int smbc_flistxattr(int fd, size_t size) { SMBCFILE * file = find_fd(fd); + if (file == NULL) { + errno = EBADF; + return -1; + } return statcont->listxattr(statcont, file->fname, list, size); } diff --git a/source/libsmb/libsmbclient.c b/source/libsmb/libsmbclient.c index 4ea0ab6eb63..98264dfa862 100644 --- a/source/libsmb/libsmbclient.c +++ b/source/libsmb/libsmbclient.c @@ -3932,7 +3932,9 @@ add_ace(SEC_ACL **the_acl, return True; } - aces = SMB_CALLOC_ARRAY(SEC_ACE, 1+(*the_acl)->num_aces); + if ((aces = SMB_CALLOC_ARRAY(SEC_ACE, 1+(*the_acl)->num_aces)) == NULL) { + return False; + } memcpy(aces, (*the_acl)->ace, (*the_acl)->num_aces * sizeof(SEC_ACE)); memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE)); newacl = make_sec_acl(ctx, (*the_acl)->revision, diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c index 9d94c1d00a1..55108bf72f2 100644 --- a/source/libsmb/trusts_util.c +++ b/source/libsmb/trusts_util.c @@ -86,7 +86,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m /* Create a random machine account password */ str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_trust_passwd = talloc_strdup(mem_ctx, str); + + if ((new_trust_passwd = talloc_strdup(mem_ctx, str)) == NULL) { + DEBUG(0, ("talloc_strdup failed\n")); + return NT_STATUS_NO_MEMORY; + } E_md4hash(new_trust_passwd, new_trust_passwd_hash); diff --git a/source/modules/vfs_afsacl.c b/source/modules/vfs_afsacl.c index 3794299b9a0..53272ca06fe 100644 --- a/source/modules/vfs_afsacl.c +++ b/source/modules/vfs_afsacl.c @@ -140,23 +140,24 @@ static struct afs_ace *new_afs_ace(TALLOC_CTX *mem_ctx, type = SID_NAME_UNKNOWN; if (string_to_sid(&sid, name)) { - fstring user, domain; + const char *user, *domain; /* We have to find the type, look up the SID */ - lookup_sid(&sid, domain, user, &type); + lookup_sid(tmp_talloc_ctx(), &sid, + &domain, &user, &type); } } else { - fstring domain, uname; + const char *domain, *uname; char *p; - p = strchr_m(name, lp_winbind_separator()); + p = strchr_m(name, *lp_winbind_separator()); if (p != NULL) { *p = '\\'; } - if (!lookup_name(name, LOOKUP_NAME_FULL, - domain, uname, &sid, &type)) { + if (!lookup_name(tmp_talloc_ctx(), name, LOOKUP_NAME_ALL, + &domain, &uname, &sid, &type)) { DEBUG(10, ("Could not find AFS user %s\n", name)); sid_copy(&sid, &global_sid_NULL); @@ -711,8 +712,7 @@ static BOOL nt_to_afs_acl(const char *filename, for (i = 0; i < dacl->num_aces; i++) { SEC_ACE *ace = &(dacl->ace[i]); - fstring dom_name; - fstring name; + const char *dom_name, *name; enum SID_NAME_USE name_type; char *p; @@ -730,28 +730,28 @@ static BOOL nt_to_afs_acl(const char *filename, if (sid_compare(&ace->trustee, &global_sid_Builtin_Administrators) == 0) { - fstrcpy(name, "system:administrators"); + name = "system:administrators"; } else if (sid_compare(&ace->trustee, &global_sid_World) == 0) { - fstrcpy(name, "system:anyuser"); + name = "system:anyuser"; } else if (sid_compare(&ace->trustee, &global_sid_Authenticated_Users) == 0) { - fstrcpy(name, "system:authuser"); + name = "system:authuser"; } else if (sid_compare(&ace->trustee, &global_sid_Builtin_Backup_Operators) == 0) { - fstrcpy(name, "system:backup"); + name = "system:backup"; } else { - if (!lookup_sid(&ace->trustee, - dom_name, name, &name_type)) { + if (!lookup_sid(tmp_talloc_ctx(), &ace->trustee, + &dom_name, &name, &name_type)) { DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n", sid_string_static(&ace->trustee), filename)); continue; @@ -759,18 +759,26 @@ static BOOL nt_to_afs_acl(const char *filename, if ( (name_type == SID_NAME_USER) || (name_type == SID_NAME_DOM_GRP) || - (name_type == SID_NAME_ALIAS) ) { - fstring only_username; - fstrcpy(only_username, name); - fstr_sprintf(name, "%s%s%s", - dom_name, lp_winbind_separator(), - only_username); - strlower_m(name); + (name_type == SID_NAME_ALIAS) ) { + char *tmp; + tmp = talloc_asprintf(tmp_talloc_ctx(), "%s%s%s", + dom_name, lp_winbind_separator(), + name); + if (tmp == NULL) { + return False; + } + strlower_m(tmp); + name = tmp; } if (sidpts) { /* Expect all users/groups in pts as SIDs */ - sid_to_string(name, &ace->trustee); + name = talloc_strdup( + tmp_talloc_ctx(), + sid_string_static(&ace->trustee)); + if (name == NULL) { + return False; + } } } @@ -1007,7 +1015,7 @@ static int afsacl_connect(vfs_handle_struct *handle, const char *service, const char *user) { - char *spc; + const char *spc; spc = lp_parm_const_string(SNUM(handle->conn), "afsacl", "space", "%"); diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c index 3ed651f8cdc..250b5f3b8c2 100644 --- a/source/nsswitch/winbindd_ads.c +++ b/source/nsswitch/winbindd_ads.c @@ -904,7 +904,11 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, members = NULL; num_members = 0; - attrs = TALLOC_ARRAY(mem_ctx, const char *, 3); + if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 3)) == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + attrs[1] = talloc_strdup(mem_ctx, "usnChanged"); attrs[2] = NULL; diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c index ba69d41392e..e078c295e17 100644 --- a/source/nsswitch/winbindd_cache.c +++ b/source/nsswitch/winbindd_cache.c @@ -276,7 +276,7 @@ static BOOL centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID { char *sid_string; sid_string = centry_string(centry, mem_ctx); - if (!string_to_sid(sid, sid_string)) { + if ((sid_string == NULL) || (!string_to_sid(sid, sid_string))) { return False; } return True; @@ -2136,6 +2136,7 @@ void wcache_flush_cache(void) if (!wcache->tdb) { DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); + return; } tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL); diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c index b24ed842de3..ea4d8503c1b 100644 --- a/source/nsswitch/winbindd_cm.c +++ b/source/nsswitch/winbindd_cm.c @@ -723,6 +723,9 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx, if ((num_dcnames == 0) || (num_dcnames != num_addrs)) return False; + if ((addrs == NULL) || (dcnames == NULL)) + return False; + if ( !open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd) ) { for (i=0; i<num_dcs; i++) { diff --git a/source/nsswitch/winbindd_misc.c b/source/nsswitch/winbindd_misc.c index 9413a79abaa..6c6dc5b7651 100644 --- a/source/nsswitch/winbindd_misc.c +++ b/source/nsswitch/winbindd_misc.c @@ -158,7 +158,10 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain * /* This is a bit excessive, but the extra data sooner or later will be talloc'ed */ - extra_data_len = strlen(extra_data); + extra_data_len = 0; + if (extra_data != NULL) { + extra_data_len = strlen(extra_data); + } if (extra_data_len > 0) { state->response.extra_data.data = SMB_STRDUP(extra_data); diff --git a/source/nsswitch/winbindd_rpc.c b/source/nsswitch/winbindd_rpc.c index de4dbc9a79b..984c5cd8415 100644 --- a/source/nsswitch/winbindd_rpc.c +++ b/source/nsswitch/winbindd_rpc.c @@ -473,9 +473,14 @@ NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; POLICY_HND dom_pol; - DOM_SID2 *sid2; + DOM_SID2 *query_sids; + uint32 num_query_sids = 0; int i; struct rpc_pipe_client *cli; + uint32 *alias_rids_query, num_aliases_query; + int rangesize = MAX_SAM_ENTRIES_W2K; + uint32 total_sids = 0; + int num_queries = 1; *num_aliases = 0; *alias_rids = NULL; @@ -486,19 +491,57 @@ NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) return result; - sid2 = TALLOC_ARRAY(mem_ctx, DOM_SID2, num_sids); + do { + /* prepare query */ - if (sid2 == NULL) - return NT_STATUS_NO_MEMORY; + num_query_sids = MIN(num_sids - total_sids, rangesize); - for (i=0; i<num_sids; i++) { - sid_copy(&sid2[i].sid, &sids[i]); - sid2[i].num_auths = sid2[i].sid.num_auths; - } + DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n", + num_queries, num_query_sids)); + + + query_sids = TALLOC_ARRAY(mem_ctx, DOM_SID2, num_query_sids); + if (query_sids == NULL) { + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i<num_query_sids; i++) { + sid_copy(&query_sids[i].sid, &sids[total_sids++]); + query_sids[i].num_auths = query_sids[i].sid.num_auths; + } + + /* do request */ + + result = rpccli_samr_query_useraliases(cli, mem_ctx, &dom_pol, + num_query_sids, query_sids, + &num_aliases_query, + &alias_rids_query); + + if (!NT_STATUS_IS_OK(result)) { + *num_aliases = 0; + *alias_rids = NULL; + TALLOC_FREE(query_sids); + goto done; + } + + /* process output */ + + for (i=0; i<num_aliases_query; i++) { + size_t na = *num_aliases; + add_rid_to_array_unique(mem_ctx, alias_rids_query[i], + alias_rids, &na); + *num_aliases = na; + } + + TALLOC_FREE(query_sids); + + num_queries++; + + } while (total_sids < num_sids); - result = rpccli_samr_query_useraliases(cli, mem_ctx, &dom_pol, - num_sids, sid2, - num_aliases, alias_rids); + done: + DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries " + "(rangesize: %d)\n", *num_aliases, num_queries, rangesize)); return result; } diff --git a/source/passdb/login_cache.c b/source/passdb/login_cache.c index fba5990d811..9a19dcf437a 100644 --- a/source/passdb/login_cache.c +++ b/source/passdb/login_cache.c @@ -72,6 +72,10 @@ LOGIN_CACHE * login_cache_read(struct samu *sampass) if (!login_cache_init()) return NULL; + if (pdb_get_nt_username(sampass) == NULL) { + return NULL; + } + keybuf.dptr = SMB_STRDUP(pdb_get_nt_username(sampass)); if (!keybuf.dptr || !strlen(keybuf.dptr)) { SAFE_FREE(keybuf.dptr); @@ -117,6 +121,10 @@ BOOL login_cache_write(const struct samu *sampass, LOGIN_CACHE entry) if (!login_cache_init()) return False; + if (pdb_get_nt_username(sampass) == NULL) { + return False; + } + keybuf.dptr = SMB_STRDUP(pdb_get_nt_username(sampass)); if (!keybuf.dptr || !strlen(keybuf.dptr)) { SAFE_FREE(keybuf.dptr); @@ -163,6 +171,10 @@ BOOL login_cache_delentry(const struct samu *sampass) if (!login_cache_init()) return False; + if (pdb_get_nt_username(sampass) == NULL) { + return False; + } + keybuf.dptr = SMB_STRDUP(pdb_get_nt_username(sampass)); if (!keybuf.dptr || !strlen(keybuf.dptr)) { SAFE_FREE(keybuf.dptr); diff --git a/source/passdb/pdb_get_set.c b/source/passdb/pdb_get_set.c index 831ddefa13c..2e69240b1af 100644 --- a/source/passdb/pdb_get_set.c +++ b/source/passdb/pdb_get_set.c @@ -328,101 +328,61 @@ void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_ BOOL pdb_set_acct_ctrl(struct samu *sampass, uint32 acct_ctrl, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->acct_ctrl = acct_ctrl; - return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag); } BOOL pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->logon_time = mytime; - return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag); } BOOL pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->logoff_time = mytime; - return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag); } BOOL pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->kickoff_time = mytime; - return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag); } BOOL pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->bad_password_time = mytime; - return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag); } BOOL pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->pass_can_change_time = mytime; - return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag); } BOOL pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->pass_must_change_time = mytime; - return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag); } BOOL pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->pass_last_set_time = mytime; - return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag); } BOOL pdb_set_hours_len(struct samu *sampass, uint32 len, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->hours_len = len; - return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag); } BOOL pdb_set_logon_divs(struct samu *sampass, uint16 hours, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->logon_divs = hours; - return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag); } @@ -435,9 +395,6 @@ BOOL pdb_set_logon_divs(struct samu *sampass, uint16 hours, enum pdb_value_state BOOL pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag) { - if (!sampass || !sampass) - return False; - if (!sampass->set_flags) { if ((sampass->set_flags = bitmap_talloc(sampass, @@ -497,7 +454,7 @@ BOOL pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pd BOOL pdb_set_user_sid(struct samu *sampass, const DOM_SID *u_sid, enum pdb_value_state flag) { - if (!sampass || !u_sid) + if (!u_sid) return False; sid_copy(&sampass->user_sid, u_sid); @@ -512,7 +469,7 @@ BOOL pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_ { DOM_SID new_sid; - if (!sampass || !u_sid) + if (!u_sid) return False; DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n", @@ -543,7 +500,7 @@ BOOL pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_valu { gid_t gid; - if (!sampass || !g_sid) + if (!g_sid) return False; if ( !(sampass->group_sid = TALLOC_P( sampass, DOM_SID )) ) { @@ -572,9 +529,6 @@ BOOL pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_valu BOOL pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag) { - if (!sampass) - return False; - if (username) { DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username, (sampass->username)?(sampass->username):"NULL")); @@ -585,7 +539,6 @@ BOOL pdb_set_username(struct samu *sampass, const char *username, enum pdb_value DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n")); return False; } - } else { sampass->username = PDB_NOT_QUITE_NULL; } @@ -599,9 +552,6 @@ BOOL pdb_set_username(struct samu *sampass, const char *username, enum pdb_value BOOL pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag) { - if (!sampass) - return False; - if (domain) { DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain, (sampass->domain)?(sampass->domain):"NULL")); @@ -612,7 +562,6 @@ BOOL pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_sta DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n")); return False; } - } else { sampass->domain = PDB_NOT_QUITE_NULL; } @@ -626,9 +575,6 @@ BOOL pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_sta BOOL pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag) { - if (!sampass) - return False; - if (nt_username) { DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username, (sampass->nt_username)?(sampass->nt_username):"NULL")); @@ -639,7 +585,6 @@ BOOL pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n")); return False; } - } else { sampass->nt_username = PDB_NOT_QUITE_NULL; } @@ -653,9 +598,6 @@ BOOL pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb BOOL pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag) { - if (!sampass) - return False; - if (full_name) { DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name, (sampass->full_name)?(sampass->full_name):"NULL")); @@ -666,7 +608,6 @@ BOOL pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_valu DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n")); return False; } - } else { sampass->full_name = PDB_NOT_QUITE_NULL; } @@ -680,9 +621,6 @@ BOOL pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_valu BOOL pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag) { - if (!sampass) - return False; - if (logon_script) { DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script, (sampass->logon_script)?(sampass->logon_script):"NULL")); @@ -693,7 +631,6 @@ BOOL pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum p DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n")); return False; } - } else { sampass->logon_script = PDB_NOT_QUITE_NULL; } @@ -707,9 +644,6 @@ BOOL pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum p BOOL pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag) { - if (!sampass) - return False; - if (profile_path) { DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path, (sampass->profile_path)?(sampass->profile_path):"NULL")); @@ -720,7 +654,6 @@ BOOL pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum p DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n")); return False; } - } else { sampass->profile_path = PDB_NOT_QUITE_NULL; } @@ -734,9 +667,6 @@ BOOL pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum p BOOL pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag) { - if (!sampass) - return False; - if (dir_drive) { DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive, (sampass->dir_drive)?(sampass->dir_drive):"NULL")); @@ -761,9 +691,6 @@ BOOL pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_val BOOL pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag) { - if (!sampass) - return False; - if (home_dir) { DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir, (sampass->home_dir)?(sampass->home_dir):"NULL")); @@ -774,7 +701,6 @@ BOOL pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_ DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n")); return False; } - } else { sampass->home_dir = PDB_NOT_QUITE_NULL; } @@ -788,9 +714,6 @@ BOOL pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_ BOOL pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag) { - if (!sampass) - return False; - if (acct_desc) { sampass->acct_desc = talloc_strdup(sampass, acct_desc); @@ -798,7 +721,6 @@ BOOL pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_val DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n")); return False; } - } else { sampass->acct_desc = PDB_NOT_QUITE_NULL; } @@ -812,9 +734,6 @@ BOOL pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_val BOOL pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag) { - if (!sampass) - return False; - if (workstations) { DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations, (sampass->workstations)?(sampass->workstations):"NULL")); @@ -825,7 +744,6 @@ BOOL pdb_set_workstations(struct samu *sampass, const char *workstations, enum p DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n")); return False; } - } else { sampass->workstations = PDB_NOT_QUITE_NULL; } @@ -839,9 +757,6 @@ BOOL pdb_set_workstations(struct samu *sampass, const char *workstations, enum p BOOL pdb_set_unknown_str(struct samu *sampass, const char *unknown_str, enum pdb_value_state flag) { - if (!sampass) - return False; - if (unknown_str) { sampass->unknown_str = talloc_strdup(sampass, unknown_str); @@ -849,7 +764,6 @@ BOOL pdb_set_unknown_str(struct samu *sampass, const char *unknown_str, enum pdb DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n")); return False; } - } else { sampass->unknown_str = PDB_NOT_QUITE_NULL; } @@ -863,9 +777,6 @@ BOOL pdb_set_unknown_str(struct samu *sampass, const char *unknown_str, enum pdb BOOL pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag) { - if (!sampass) - return False; - if (munged_dial) { sampass->munged_dial = talloc_strdup(sampass, munged_dial); @@ -873,7 +784,6 @@ BOOL pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n")); return False; } - } else { sampass->munged_dial = PDB_NOT_QUITE_NULL; } @@ -887,9 +797,6 @@ BOOL pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb BOOL pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag) { - if (!sampass) - return False; - data_blob_clear_free(&sampass->nt_pw); if (pwd) { @@ -908,9 +815,6 @@ BOOL pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum BOOL pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag) { - if (!sampass) - return False; - data_blob_clear_free(&sampass->lm_pw); /* on keep the password if we are allowing LANMAN authentication */ @@ -933,9 +837,6 @@ BOOL pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], e BOOL pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag) { - if (!sampass) - return False; - if (historyLen && pwd){ sampass->nt_pw_his = data_blob_talloc(sampass, pwd, historyLen*PW_HISTORY_ENTRY_LEN); @@ -957,9 +858,6 @@ BOOL pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLe BOOL pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag) { - if (!sampass) - return False; - if (password) { if (sampass->plaintext_pw!=NULL) memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1); @@ -970,7 +868,6 @@ BOOL pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n")); return False; } - } else { sampass->plaintext_pw = NULL; } @@ -980,45 +877,29 @@ BOOL pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum BOOL pdb_set_bad_password_count(struct samu *sampass, uint16 bad_password_count, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->bad_password_count = bad_password_count; - return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag); } BOOL pdb_set_logon_count(struct samu *sampass, uint16 logon_count, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->logon_count = logon_count; - return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag); } BOOL pdb_set_unknown_6(struct samu *sampass, uint32 unkn, enum pdb_value_state flag) { - if (!sampass) - return False; - sampass->unknown_6 = unkn; - return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag); } BOOL pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag) { - if (!sampass) - return False; - if (!hours) { memset ((char *)sampass->hours, 0, MAX_HOURS_LEN); - return True; + } else { + memcpy (sampass->hours, hours, MAX_HOURS_LEN); } - - memcpy (sampass->hours, hours, MAX_HOURS_LEN); return pdb_set_init_flags(sampass, PDB_HOURS, flag); } @@ -1028,9 +909,6 @@ BOOL pdb_set_backend_private_data(struct samu *sampass, void *private_data, const struct pdb_methods *my_methods, enum pdb_value_state flag) { - if (!sampass) - return False; - if (sampass->backend_private_data && sampass->backend_private_data_free_fn) { sampass->backend_private_data_free_fn( @@ -1057,9 +935,6 @@ BOOL pdb_set_pass_changed_now(struct samu *sampass) uint32 expire; uint32 min_age; - if (!sampass) - return False; - if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; @@ -1097,7 +972,7 @@ BOOL pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) uchar new_lanman_p16[LM_HASH_LEN]; uchar new_nt_p16[NT_HASH_LEN]; - if (!sampass || !plaintext) + if (!plaintext) return False; /* Calculate the MD4 hash (NT compatible) of the password */ diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c index 94adebe2327..5d70c2c1227 100644 --- a/source/passdb/pdb_interface.c +++ b/source/passdb/pdb_interface.c @@ -1470,6 +1470,11 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, unbecome_root(); /* -----> EXIT BECOME_ROOT() */ *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + if (!*name) { + TALLOC_FREE(sam_account); + return False; + } + *psid_name_use = SID_NAME_USER; TALLOC_FREE(sam_account); diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 3fd4e6748ae..2a824c137f9 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -2274,25 +2274,6 @@ static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, return ldapsam_getgroup(methods, filter, map); } -static void add_rid_to_array_unique(TALLOC_CTX *mem_ctx, - uint32 rid, uint32 **pp_rids, size_t *p_num) -{ - size_t i; - - for (i=0; i<*p_num; i++) { - if ((*pp_rids)[i] == rid) - return; - } - - *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1); - - if (*pp_rids == NULL) - return; - - (*pp_rids)[*p_num] = rid; - *p_num += 1; -} - static BOOL ldapsam_extract_rid_from_entry(LDAP *ldap_struct, LDAPMessage *entry, const DOM_SID *domain_sid, diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c index 79061ebd416..6a7fd4d3986 100644 --- a/source/printing/nt_printing.c +++ b/source/printing/nt_printing.c @@ -250,7 +250,7 @@ static TDB_DATA make_printer_tdbkey( const char *sharename ) generate a new TDB_DATA key for storing a printer security descriptor ****************************************************************************/ -static char* make_printers_secdesc_tdbkey( const char* sharename ) +static char *make_printers_secdesc_tdbkey( const char* sharename ) { fstring share; static pstring keystr; @@ -346,32 +346,41 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key, size_t size_new_sec; DOM_SID sid; - if (!data.dptr || data.dsize == 0) + if (!data.dptr || data.dsize == 0) { return 0; + } - if ( strncmp( key.dptr, SECDESC_PREFIX, strlen(SECDESC_PREFIX) ) != 0 ) + if ( strncmp( key.dptr, SECDESC_PREFIX, strlen(SECDESC_PREFIX) ) != 0 ) { return 0; + } /* upgrade the security descriptor */ ZERO_STRUCT( ps ); prs_init( &ps, 0, ctx, UNMARSHALL ); - prs_give_memory( &ps, data.dptr, data.dsize, True ); + prs_give_memory( &ps, data.dptr, data.dsize, False ); if ( !sec_io_desc_buf( "sec_desc_upg_fn", &sd_orig, &ps, 1 ) ) { /* delete bad entries */ DEBUG(0,("sec_desc_upg_fn: Failed to parse original sec_desc for %si. Deleting....\n", key.dptr )); tdb_delete( tdb_printers, key ); + prs_mem_free( &ps ); return 0; } + if (!sd_orig) { + prs_mem_free( &ps ); + return 0; + } sec = sd_orig->sec; /* is this even valid? */ - if ( !sec->dacl ) + if ( !sec->dacl ) { + prs_mem_free( &ps ); return 0; + } /* update access masks */ @@ -399,13 +408,24 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key, new_sec = make_sec_desc( ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, &sid, &sid, NULL, NULL, &size_new_sec ); + if (!new_sec) { + prs_mem_free( &ps ); + return 0; + } sd_new = make_sec_desc_buf( ctx, size_new_sec, new_sec ); + if (!sd_new) { + prs_mem_free( &ps ); + return 0; + } if ( !(sd_store = sec_desc_merge( ctx, sd_new, sd_orig )) ) { DEBUG(0,("sec_desc_upg_fn: Failed to update sec_desc for %s\n", key.dptr )); + prs_mem_free( &ps ); return 0; } + prs_mem_free( &ps ); + /* store it back */ sd_size = sec_desc_size(sd_store->sec) + sizeof(SEC_DESC_BUF); @@ -413,6 +433,7 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key, if ( !sec_io_desc_buf( "sec_desc_upg_fn", &sd_store, &ps, 1 ) ) { DEBUG(0,("sec_desc_upg_fn: Failed to parse new sec_desc for %s\n", key.dptr )); + prs_mem_free( &ps ); return 0; } @@ -943,6 +964,10 @@ int get_ntdrivers(fstring **list, const char *architecture, uint32 version) TDB_DATA kbuf, newkey; short_archi = get_short_archi(architecture); + if (!short_archi) { + return 0; + } + slprintf(key, sizeof(key)-1, "%s%s/%d/", DRIVERS_PREFIX, short_archi, version); for (kbuf = tdb_firstkey(tdb_drivers); @@ -965,9 +990,10 @@ int get_ntdrivers(fstring **list, const char *architecture, uint32 version) } /**************************************************************************** -function to do the mapping between the long architecture name and -the short one. + Function to do the mapping between the long architecture name and + the short one. ****************************************************************************/ + const char *get_short_archi(const char *long_archi) { int i=-1; @@ -985,7 +1011,6 @@ const char *get_short_archi(const char *long_archi) /* this might be client code - but shouldn't this be an fstrcpy etc? */ - DEBUGADD(108,("index: [%d]\n", i)); DEBUGADD(108,("long architecture: [%s]\n", archi_table[i].long_archi)); DEBUGADD(108,("short architecture: [%s]\n", archi_table[i].short_archi)); @@ -1546,6 +1571,9 @@ static WERROR clean_up_driver_struct_level_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *dri } architecture = get_short_archi(driver->environment); + if (!architecture) { + return WERR_UNKNOWN_PRINTER_DRIVER; + } /* jfm:7/16/2000 the client always sends the cversion=0. * The server should check which version the driver is by reading @@ -1559,7 +1587,7 @@ static WERROR clean_up_driver_struct_level_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *dri * NT2K: cversion=3 */ if ((driver->cversion = get_correct_cversion( architecture, driver->driverpath, user, &err)) == -1) - return err; + return err; return WERR_OK; } @@ -1609,6 +1637,9 @@ static WERROR clean_up_driver_struct_level_6(NT_PRINTER_DRIVER_INFO_LEVEL_6 *dri } architecture = get_short_archi(driver->environment); + if (!architecture) { + return WERR_UNKNOWN_PRINTER_DRIVER; + } /* jfm:7/16/2000 the client always sends the cversion=0. * The server should check which version the driver is by reading @@ -1726,6 +1757,9 @@ WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract } architecture = get_short_archi(driver->environment); + if (!architecture) { + return WERR_UNKNOWN_PRINTER_DRIVER; + } /* * Connect to the print$ share under the same account as the user connected to the rpc pipe. @@ -1901,6 +1935,9 @@ static uint32 add_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver) TDB_DATA kbuf, dbuf; architecture = get_short_archi(driver->environment); + if (!architecture) { + return (uint32)-1; + } /* The names are relative. We store them in the form: \print$\arch\version\driver.xxx * \\server is added in the rpc server layer. @@ -2059,9 +2096,9 @@ static WERROR get_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 **info_ptr, ZERO_STRUCT(driver); architecture = get_short_archi(arch); - - if ( !architecture ) + if ( !architecture ) { return WERR_UNKNOWN_PRINTER_DRIVER; + } /* Windows 4.0 (i.e. win9x) should always use a version of 0 */ @@ -3075,6 +3112,10 @@ static WERROR nt_printer_unpublish_ads(ADS_STRUCT *ads, if (ADS_ERR_OK(ads_rc) && ads_count_replies(ads, res)) { prt_dn = ads_get_dn(ads, res); + if (!prt_dn) { + ads_msgfree(ads, res); + return WERR_NOMEM; + } ads_rc = ads_del_dn(ads, prt_dn); ads_memfree(ads, prt_dn); } @@ -3643,15 +3684,16 @@ static WERROR get_a_printer_2_default(NT_PRINTER_INFO_LEVEL_2 *info, const char */ if (lp_default_devmode(snum)) { - if ((info->devmode = construct_nt_devicemode(info->printername)) == NULL) + if ((info->devmode = construct_nt_devicemode(info->printername)) == NULL) { goto fail; - } - else { + } + } else { info->devmode = NULL; } - if (!nt_printing_getsec(info, sharename, &info->secdesc_buf)) + if (!nt_printing_getsec(info, sharename, &info->secdesc_buf)) { goto fail; + } return WERR_OK; @@ -3675,8 +3717,9 @@ static WERROR get_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info, const char *servern kbuf = make_printer_tdbkey( sharename ); dbuf = tdb_fetch(tdb_printers, kbuf); - if (!dbuf.dptr) + if (!dbuf.dptr) { return get_a_printer_2_default(info, servername, sharename); + } len += tdb_unpack(dbuf.dptr+len, dbuf.dsize-len, "dddddddddddfffffPfffff", &info->attributes, @@ -3709,10 +3752,11 @@ static WERROR get_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info, const char *servern /* Restore the stripped strings. */ slprintf(info->servername, sizeof(info->servername)-1, "\\\\%s", servername); - if ( lp_force_printername(snum) ) + if ( lp_force_printername(snum) ) { slprintf(printername, sizeof(printername)-1, "\\\\%s\\%s", servername, sharename ); - else + } else { slprintf(printername, sizeof(printername)-1, "\\\\%s\\%s", servername, info->printername); + } fstrcpy(info->printername, printername); @@ -3739,6 +3783,7 @@ static WERROR get_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info, const char *servern if ( !(info->data = TALLOC_ZERO_P( info, NT_PRINTER_DATA )) ) { DEBUG(0,("unpack_values: talloc() failed!\n")); + SAFE_FREE(dbuf.dptr); return WERR_NOMEM; } len += unpack_values( info->data, dbuf.dptr+len, dbuf.dsize-len ); @@ -3746,12 +3791,16 @@ static WERROR get_a_printer_2(NT_PRINTER_INFO_LEVEL_2 *info, const char *servern /* This will get the current RPC talloc context, but we should be passing this as a parameter... fixme... JRA ! */ - nt_printing_getsec(info, sharename, &info->secdesc_buf); + if (!nt_printing_getsec(info, sharename, &info->secdesc_buf)) { + SAFE_FREE(dbuf.dptr); + return WERR_NOMEM; + } /* Fix for OS/2 drivers. */ - if (get_remote_arch() == RA_OS2) + if (get_remote_arch() == RA_OS2) { map_to_os2_driver(info->drivername); + } SAFE_FREE(dbuf.dptr); @@ -4859,6 +4908,9 @@ WERROR delete_printer_driver( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct cur /* delete the tdb data first */ arch = get_short_archi(info_3->environment); + if (!arch) { + return WERR_UNKNOWN_PRINTER_DRIVER; + } slprintf(key, sizeof(key)-1, "%s%s/%d/%s", DRIVERS_PREFIX, arch, version, info_3->name); @@ -4931,7 +4983,10 @@ WERROR nt_printing_setsec(const char *sharename, SEC_DESC_BUF *secdesc_ctr) SEC_DESC *psd = NULL; size_t size; - nt_printing_getsec(mem_ctx, sharename, &old_secdesc_ctr); + if (!nt_printing_getsec(mem_ctx, sharename, &old_secdesc_ctr)) { + status = WERR_NOMEM; + goto out; + } /* Pick out correct owner and group sids */ @@ -4959,6 +5014,11 @@ WERROR nt_printing_setsec(const char *sharename, SEC_DESC_BUF *secdesc_ctr) dacl, &size); + if (!psd) { + status = WERR_NOMEM; + goto out; + } + new_secdesc_ctr = make_sec_desc_buf(mem_ctx, size, psd); } @@ -5094,6 +5154,8 @@ BOOL nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **s sharename = temp + 1; } + ZERO_STRUCT(ps); + /* Fetch security descriptor from tdb */ key = make_printers_secdesc_tdbkey( sharename ); @@ -5101,6 +5163,8 @@ BOOL nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **s if (tdb_prs_fetch(tdb_printers, key, &ps, ctx)!=0 || !sec_io_desc_buf("nt_printing_getsec", secdesc_ctr, &ps, 1)) { + prs_mem_free(&ps); + DEBUG(4,("using default secdesc for %s\n", sharename)); if (!(*secdesc_ctr = construct_default_printer_sdb(ctx))) { @@ -5112,14 +5176,17 @@ BOOL nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **s prs_init(&ps, (uint32)sec_desc_size((*secdesc_ctr)->sec) + sizeof(SEC_DESC_BUF), ctx, MARSHALL); - if (sec_io_desc_buf("nt_printing_getsec", secdesc_ctr, &ps, 1)) + if (sec_io_desc_buf("nt_printing_getsec", secdesc_ctr, &ps, 1)) { tdb_prs_store(tdb_printers, key, &ps); + } prs_mem_free(&ps); return True; } + prs_mem_free(&ps); + /* If security descriptor is owned by S-1-1-0 and winbindd is up, this security descriptor has been created when winbindd was down. Take ownership of security descriptor. */ @@ -5145,7 +5212,14 @@ BOOL nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **s (*secdesc_ctr)->sec->dacl, &size); + if (!psd) { + return False; + } + new_secdesc_ctr = make_sec_desc_buf(ctx, size, psd); + if (!new_secdesc_ctr) { + return False; + } /* Swap with other one */ @@ -5175,7 +5249,6 @@ BOOL nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **s } } - prs_mem_free(&ps); return True; } @@ -5289,7 +5362,11 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) return False; } - nt_printing_getsec(mem_ctx, pname, &secdesc); + if (!nt_printing_getsec(mem_ctx, pname, &secdesc)) { + talloc_destroy(mem_ctx); + errno = ENOMEM; + return False; + } if (access_type == JOB_ACCESS_ADMINISTER) { SEC_DESC_BUF *parent_secdesc = secdesc; @@ -5300,6 +5377,12 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) secdesc = se_create_child_secdesc(mem_ctx, parent_secdesc->sec, False); + if (!secdesc) { + talloc_destroy(mem_ctx); + errno = ENOMEM; + return False; + } + /* Now this is the bit that really confuses me. The access type needs to be changed from JOB_ACCESS_ADMINISTER to PRINTER_ACCESS_ADMINISTER for this to work. Something @@ -5324,13 +5407,15 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) (token_contains_name_in_list(uidtoname(user->ut.uid), NULL, user->nt_user_token, lp_printer_admin(snum)))) { + talloc_destroy(mem_ctx); return True; } talloc_destroy(mem_ctx); - if (!result) + if (!result) { errno = EACCES; + } return result; } diff --git a/source/printing/print_generic.c b/source/printing/print_generic.c index e445bc3ce00..1ea762695b1 100644 --- a/source/printing/print_generic.c +++ b/source/printing/print_generic.c @@ -193,7 +193,7 @@ static int generic_queue_get(const char *printer_name, /* turn the lpq output into a series of job structures */ qcount = 0; ZERO_STRUCTP(status); - if (numlines) { + if (numlines && qlines) { queue = SMB_MALLOC_ARRAY(print_queue_struct, numlines+1); if (!queue) { file_lines_free(qlines); diff --git a/source/printing/printing_db.c b/source/printing/printing_db.c index adea10dfa69..c62409c8908 100644 --- a/source/printing/printing_db.c +++ b/source/printing/printing_db.c @@ -55,7 +55,9 @@ struct tdb_print_db *get_print_db_byname(const char *printername) /* Not found. */ if (num_open >= MAX_PRINT_DBS_OPEN) { /* Try and recycle the last entry. */ - DLIST_PROMOTE(print_db_head, last_entry); + if (print_db_head && last_entry) { + DLIST_PROMOTE(print_db_head, last_entry); + } for (p = print_db_head; p; p = p->next) { if (p->ref_count) @@ -72,7 +74,7 @@ struct tdb_print_db *get_print_db_byname(const char *printername) memset(p->printer_name, '\0', sizeof(p->printer_name)); break; } - if (p) { + if (p && print_db_head) { DLIST_PROMOTE(print_db_head, p); p = print_db_head; } diff --git a/source/registry/reg_perfcount.c b/source/registry/reg_perfcount.c index 385128e7b55..c69e7b7e14e 100644 --- a/source/registry/reg_perfcount.c +++ b/source/registry/reg_perfcount.c @@ -718,6 +718,10 @@ BOOL _reg_perfcount_get_instance_info(PERF_INSTANCE_DEFINITION *inst, inst->data, uint8, inst->NameLength); + if (inst->data == NULL) { + SAFE_FREE(data.dptr); + return False; + } memcpy(inst->data, name, inst->NameLength); SAFE_FREE(data.dptr); } @@ -894,7 +898,8 @@ static BOOL _reg_perfcount_init_data_block_perf(PERF_DATA_BLOCK *block, /********************************************************************* *********************************************************************/ -static void _reg_perfcount_init_data_block(PERF_DATA_BLOCK *block, prs_struct *ps, TDB_CONTEXT *names) +static BOOL _reg_perfcount_init_data_block(PERF_DATA_BLOCK *block, + prs_struct *ps, TDB_CONTEXT *names) { wpstring temp; time_t tm; @@ -920,6 +925,9 @@ static void _reg_perfcount_init_data_block(PERF_DATA_BLOCK *block, prs_struct *p rpcstr_push((void *)temp, global_myname(), sizeof(temp), STR_TERMINATE); block->SystemNameLength = (strlen_w(temp) * 2) + 2; block->data = TALLOC_ZERO_ARRAY(ps->mem_ctx, uint8, block->SystemNameLength + (8 - (block->SystemNameLength % 8))); + if (block->data == NULL) { + return False; + } memcpy(block->data, temp, block->SystemNameLength); block->SystemNameOffset = sizeof(PERF_DATA_BLOCK) - sizeof(block->objects) - sizeof(block->data); block->HeaderLength = block->SystemNameOffset + block->SystemNameLength; @@ -927,7 +935,7 @@ static void _reg_perfcount_init_data_block(PERF_DATA_BLOCK *block, prs_struct *p so that the PERF_OBJECT_TYPE struct comes out 64-bit aligned */ block->HeaderLength += 8 - (block->HeaderLength % 8); - return; + return True; } /********************************************************************* @@ -968,6 +976,9 @@ static uint32 _reg_perfcount_perf_data_block_fixup(PERF_DATA_BLOCK *block, prs_s temp, char, counter_data->ByteLength- sizeof(counter_data->ByteLength)); + if (temp == NULL) { + return 0; + } memset(temp, 0, counter_data->ByteLength - sizeof(counter_data->ByteLength)); src_addr = (char *)counter_data->data; for(i = 0; i < object[obj].NumCounters; i++) @@ -986,6 +997,9 @@ static uint32 _reg_perfcount_perf_data_block_fixup(PERF_DATA_BLOCK *block, prs_s counter_data->data, uint8, counter_data->ByteLength - sizeof(counter_data->ByteLength) + pad); + if (counter_data->data == NULL) { + return 0; + } memset(counter_data->data, 0, counter_data->ByteLength - sizeof(counter_data->ByteLength) + pad); memcpy(counter_data->data, temp, counter_data->ByteLength - sizeof(counter_data->ByteLength)); counter_data->ByteLength += pad; @@ -1039,7 +1053,11 @@ uint32 reg_perfcount_get_perf_data_block(uint32 base_index, return 0; } - _reg_perfcount_init_data_block(block, ps, names); + if (!_reg_perfcount_init_data_block(block, ps, names)) { + DEBUG(0, ("_reg_perfcount_init_data_block failed\n")); + tdb_close(names); + return 0; + } last_counter = reg_perfcount_get_last_counter(base_index); diff --git a/source/registry/regfio.c b/source/registry/regfio.c index 954f4ae7bd0..f164d4e19d4 100644 --- a/source/registry/regfio.c +++ b/source/registry/regfio.c @@ -1647,11 +1647,16 @@ static BOOL create_vk_record( REGF_FILE *file, REGF_VK_REC *vk, REGISTRY_VALUE * uint32 data_size = ( (vk->data_size+sizeof(uint32)) & 0xfffffff8 ) + 8; vk->data = TALLOC_MEMDUP( file->mem_ctx, regval_data_p(value), vk->data_size ); + if (vk->data == NULL) { + return False; + } /* go ahead and store the offset....we'll pick this hbin block back up when we stream the data */ - data_hbin = find_free_space(file, data_size ); + if ((data_hbin = find_free_space(file, data_size )) == NULL) { + return False; + } vk->data_off = prs_offset( &data_hbin->ps ) + data_hbin->first_hbin_off - HBIN_HDR_SIZE; } else { @@ -1712,7 +1717,9 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 ) size = nk_record_data_size( nk ); nk->rec_size = ( size - 1 ) ^ 0XFFFFFFFF; - nk->hbin = find_free_space( file, size ); + if ((nk->hbin = find_free_space( file, size )) == NULL) { + return NULL; + } nk->hbin_off = prs_offset( &nk->hbin->ps ); /* Update the hash record in the parent */ @@ -1746,7 +1753,9 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 ) if ( (nk->sec_desc = find_sk_record_by_sec_desc( file, sec_desc )) == NULL ) { /* not found so add it to the list */ - sk_hbin = find_free_space( file, sk_size ); + if (!(sk_hbin = find_free_space( file, sk_size ))) { + return NULL; + } if ( !(nk->sec_desc = TALLOC_ZERO_P( file->mem_ctx, REGF_SK_REC )) ) return NULL; @@ -1803,7 +1812,9 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 ) uint32 namelen; int i; - nk->subkeys.hbin = find_free_space( file, lf_size ); + if (!(nk->subkeys.hbin = find_free_space( file, lf_size ))) { + return NULL; + } nk->subkeys.hbin_off = prs_offset( &nk->subkeys.hbin->ps ); nk->subkeys.rec_size = (lf_size-1) ^ 0xFFFFFFFF; nk->subkeys_off = prs_offset( &nk->subkeys.hbin->ps ) + nk->subkeys.hbin->first_hbin_off - HBIN_HDR_SIZE; @@ -1830,7 +1841,9 @@ static int hashrec_cmp( REGF_HASH_REC *h1, REGF_HASH_REC *h2 ) uint32 vlist_size = ( ( nk->num_values * sizeof(uint32) ) & 0xfffffff8 ) + 8; int i; - vlist_hbin = find_free_space( file, vlist_size ); + if (!(vlist_hbin = find_free_space( file, vlist_size ))) { + return NULL; + } nk->values_off = prs_offset( &vlist_hbin->ps ) + vlist_hbin->first_hbin_off - HBIN_HDR_SIZE; if ( !(nk->values = TALLOC_ARRAY( file->mem_ctx, REGF_VK_REC, nk->num_values )) ) diff --git a/source/rpc_parse/parse_lsa.c b/source/rpc_parse/parse_lsa.c index 12f18d319b4..ae4cff53e4b 100644 --- a/source/rpc_parse/parse_lsa.c +++ b/source/rpc_parse/parse_lsa.c @@ -738,6 +738,9 @@ static BOOL lsa_io_dom_query_2(const char *desc, DOM_QUERY_2 *d_q, prs_struct *p if (UNMARSHALLING(ps)) { d_q->auditsettings = TALLOC_ZERO_ARRAY(ps->mem_ctx, uint32, d_q->count2); + if (!d_q->auditsettings) { + return False; + } } if (!prs_uint32s(False, "auditsettings", ps, depth, d_q->auditsettings, d_q->count2)) diff --git a/source/rpc_parse/parse_misc.c b/source/rpc_parse/parse_misc.c index b56f36f5900..cb7c06eb459 100644 --- a/source/rpc_parse/parse_misc.c +++ b/source/rpc_parse/parse_misc.c @@ -227,56 +227,6 @@ BOOL smb_io_dom_sid(const char *desc, DOM_SID *sid, prs_struct *ps, int depth) } /******************************************************************* - Inits a DOM_SID structure. - - BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 - identauth >= 2^32 can be detected because it will be specified in hex -********************************************************************/ - -void init_dom_sid(DOM_SID *sid, const char *str_sid) -{ - pstring domsid; - int identauth; - char *p; - - if (str_sid == NULL) { - DEBUG(4,("netlogon domain SID: none\n")); - sid->sid_rev_num = 0; - sid->num_auths = 0; - return; - } - - pstrcpy(domsid, str_sid); - - DEBUG(4,("init_dom_sid %d SID: %s\n", __LINE__, domsid)); - - /* assume, but should check, that domsid starts "S-" */ - p = strtok(domsid+2,"-"); - sid->sid_rev_num = atoi(p); - - /* identauth in decimal should be < 2^32 */ - /* identauth in hex should be >= 2^32 */ - identauth = atoi(strtok(0,"-")); - - DEBUG(4,("netlogon rev %d\n", sid->sid_rev_num)); - DEBUG(4,("netlogon %s ia %d\n", p, identauth)); - - sid->id_auth[0] = 0; - sid->id_auth[1] = 0; - sid->id_auth[2] = (identauth & 0xff000000) >> 24; - sid->id_auth[3] = (identauth & 0x00ff0000) >> 16; - sid->id_auth[4] = (identauth & 0x0000ff00) >> 8; - sid->id_auth[5] = (identauth & 0x000000ff); - - sid->num_auths = 0; - - while ((p = strtok(0, "-")) != NULL && sid->num_auths < MAXSUBAUTHS) - sid->sub_auths[sid->num_auths++] = atoi(p); - - DEBUG(4,("init_dom_sid: %d SID: %s\n", __LINE__, domsid)); -} - -/******************************************************************* Inits a DOM_SID2 structure. ********************************************************************/ diff --git a/source/rpc_parse/parse_ntsvcs.c b/source/rpc_parse/parse_ntsvcs.c index 24bf3a455bf..599257e8020 100644 --- a/source/rpc_parse/parse_ntsvcs.c +++ b/source/rpc_parse/parse_ntsvcs.c @@ -299,8 +299,12 @@ BOOL ntsvcs_io_q_get_hw_profile_info(const char *desc, NTSVCS_Q_GET_HW_PROFILE_I q_u->buffer_size = 0x000000a8; - if ( UNMARSHALLING(ps) ) + if ( UNMARSHALLING(ps) ) { q_u->buffer = TALLOC_ARRAY(get_talloc_ctx(), uint8, q_u->buffer_size ); + if (!q_u->buffer) { + return False; + } + } if ( !prs_uint8s(True, "buffer", ps, depth, q_u->buffer, q_u->buffer_size) ) return False; @@ -329,8 +333,12 @@ BOOL ntsvcs_io_r_get_hw_profile_info(const char *desc, NTSVCS_R_GET_HW_PROFILE_I if ( !prs_align(ps) ) return False; - if ( UNMARSHALLING(ps) ) + if ( UNMARSHALLING(ps) ) { r_u->buffer = TALLOC_ARRAY(get_talloc_ctx(), uint8, r_u->buffer_size ); + if (!r_u->buffer) { + return False; + } + } if ( !prs_uint8s(True, "buffer", ps, depth, r_u->buffer, r_u->buffer_size) ) return False; diff --git a/source/rpc_parse/parse_prs.c b/source/rpc_parse/parse_prs.c index f2b002c48cf..14e190892d7 100644 --- a/source/rpc_parse/parse_prs.c +++ b/source/rpc_parse/parse_prs.c @@ -1469,11 +1469,12 @@ int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps, TALLOC_CTX *me kbuf.dptr = keystr; kbuf.dsize = strlen(keystr)+1; + prs_init(ps, 0, mem_ctx, UNMARSHALL); + dbuf = tdb_fetch(tdb, kbuf); if (!dbuf.dptr) return -1; - prs_init(ps, 0, mem_ctx, UNMARSHALL); prs_give_memory(ps, dbuf.dptr, dbuf.dsize, True); return 0; diff --git a/source/rpc_parse/parse_samr.c b/source/rpc_parse/parse_samr.c index d661b225e06..9026d503c30 100644 --- a/source/rpc_parse/parse_samr.c +++ b/source/rpc_parse/parse_samr.c @@ -6471,8 +6471,14 @@ static BOOL sam_io_user_info21(const char *desc, SAM_USER_INFO_21 * usr, void init_sam_user_info20A(SAM_USER_INFO_20 *usr, struct samu *pw) { const char *munged_dial = pdb_get_munged_dial(pw); - DATA_BLOB blob = base64_decode_data_blob(munged_dial); - + DATA_BLOB blob; + + if (munged_dial) { + blob = base64_decode_data_blob(munged_dial); + } else { + blob = data_blob(NULL, 0); + } + init_unistr2_from_datablob(&usr->uni_munged_dial, &blob); init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); data_blob_free(&blob); diff --git a/source/rpc_parse/parse_spoolss.c b/source/rpc_parse/parse_spoolss.c index ec2d6b84300..2884883e893 100644 --- a/source/rpc_parse/parse_spoolss.c +++ b/source/rpc_parse/parse_spoolss.c @@ -4989,6 +4989,7 @@ BOOL spool_io_printer_driver_info_level_6(const char *desc, SPOOL_PRINTER_DRIVER dynamically allocate memory ********************************************************************/ + static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar) { fstring f; @@ -4999,25 +5000,27 @@ static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar) return False; src = (char *)buf5->buffer; - *ar = NULL; + *ar = SMB_MALLOC_ARRAY(fstring, 1); + if (!*ar) { + return False; + } while (src < ((char *)buf5->buffer) + buf5->buf_len*2) { rpcstr_pull(f, src, sizeof(f)-1, -1, STR_TERMINATE); src = skip_unibuf(src, 2*buf5->buf_len - PTR_DIFF(src,buf5->buffer)); *ar = SMB_REALLOC_ARRAY(*ar, fstring, n+2); - if (!*ar) + if (!*ar) { return False; + } fstrcpy((*ar)[n], f); n++; } + fstrcpy((*ar)[n], ""); return True; } - - - /******************************************************************* read a UNICODE array with null terminated strings and null terminated array @@ -5115,9 +5118,6 @@ BOOL make_spoolss_driver_info_3(TALLOC_CTX *mem_ctx, DRIVER_INFO_3 *info3) { uint32 len = 0; - uint16 *ptr = info3->dependentfiles; - BOOL done = False; - BOOL null_char = False; SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 *inf; if (!(inf=TALLOC_ZERO_P(mem_ctx, SPOOL_PRINTER_DRIVER_INFO_LEVEL_3))) @@ -5142,31 +5142,35 @@ BOOL make_spoolss_driver_info_3(TALLOC_CTX *mem_ctx, init_unistr2_from_unistr(&inf->monitorname, &info3->monitorname); init_unistr2_from_unistr(&inf->defaultdatatype, &info3->defaultdatatype); - while (!done) - { - switch (*ptr) - { - case 0: - /* the null_char BOOL is used to help locate - two '\0's back to back */ - if (null_char) - done = True; - else - null_char = True; - break; + if (info3->dependentfiles) { + BOOL done = False; + BOOL null_char = False; + uint16 *ptr = info3->dependentfiles; + + while (!done) { + switch (*ptr) { + case 0: + /* the null_char BOOL is used to help locate + two '\0's back to back */ + if (null_char) { + done = True; + } else { + null_char = True; + } + break; - default: - null_char = False; - ;; - break; + default: + null_char = False; + break; + } + len++; + ptr++; } - len++; - ptr++; } + inf->dependentfiles_ptr = (info3->dependentfiles != NULL) ? 1 : 0; - inf->dependentfilessize = len; - if(!make_spoolss_buffer5(mem_ctx, &inf->dependentfiles, len, info3->dependentfiles)) - { + inf->dependentfilessize = (info3->dependentfiles != NULL) ? len : 0; + if(!make_spoolss_buffer5(mem_ctx, &inf->dependentfiles, len, info3->dependentfiles)) { SAFE_FREE(inf); return False; } @@ -5179,13 +5183,18 @@ BOOL make_spoolss_driver_info_3(TALLOC_CTX *mem_ctx, /******************************************************************* make a BUFFER5 struct from a uint16* ******************************************************************/ + BOOL make_spoolss_buffer5(TALLOC_CTX *mem_ctx, BUFFER5 *buf5, uint32 len, uint16 *src) { buf5->buf_len = len; - if((buf5->buffer=(uint16*)TALLOC_MEMDUP(mem_ctx, src, sizeof(uint16)*len)) == NULL) { - DEBUG(0,("make_spoolss_buffer5: Unable to malloc memory for buffer!\n")); - return False; + if (src) { + if((buf5->buffer=(uint16*)TALLOC_MEMDUP(mem_ctx, src, sizeof(uint16)*len)) == NULL) { + DEBUG(0,("make_spoolss_buffer5: Unable to malloc memory for buffer!\n")); + return False; + } + } else { + buf5->buffer=NULL; } return True; diff --git a/source/rpc_server/srv_eventlog_nt.c b/source/rpc_server/srv_eventlog_nt.c index 284ee37348e..c1c0b6a0e24 100644 --- a/source/rpc_server/srv_eventlog_nt.c +++ b/source/rpc_server/srv_eventlog_nt.c @@ -682,6 +682,10 @@ NTSTATUS _eventlog_read_eventlog( pipes_struct * p, int bytes_left, record_number; uint32 elog_read_type, elog_read_dir; + if (info == NULL) { + return NT_STATUS_INVALID_HANDLE; + } + info->flags = q_u->flags; ps = &p->out_data.rdata; @@ -768,6 +772,10 @@ NTSTATUS _eventlog_get_oldest_entry( pipes_struct * p, { EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, &q_u->handle ); + if (info == NULL) { + return NT_STATUS_INVALID_HANDLE; + } + if ( !( get_oldest_entry_hook( info ) ) ) return NT_STATUS_ACCESS_DENIED; @@ -785,6 +793,10 @@ NTSTATUS _eventlog_get_num_records( pipes_struct * p, { EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, &q_u->handle ); + if (info == NULL) { + return NT_STATUS_INVALID_HANDLE; + } + if ( !( get_num_records_hook( info ) ) ) return NT_STATUS_ACCESS_DENIED; diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c index d5222bbcb98..ae9795952cf 100644 --- a/source/rpc_server/srv_lsa_nt.c +++ b/source/rpc_server/srv_lsa_nt.c @@ -1133,6 +1133,11 @@ NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOO rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries); rids2 = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID2, num_entries); + if ((ref == NULL) || (rids == NULL) || (rids2 == NULL)) { + r_u->status = NT_STATUS_NO_MEMORY; + goto done; + } + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { r_u->status = NT_STATUS_INVALID_HANDLE; goto done; diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c index 10cd5c82bae..6603d2f1d44 100644 --- a/source/rpc_server/srv_netlog_nt.c +++ b/source/rpc_server/srv_netlog_nt.c @@ -985,6 +985,11 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, user_sid = pdb_get_user_sid(sampw); group_sid = pdb_get_group_sid(sampw); + if ((user_sid == NULL) || (group_sid == NULL)) { + DEBUG(1, ("_net_sam_logon: User without group or user SID\n")); + return NT_STATUS_UNSUCCESSFUL; + } + sid_copy(&domain_sid, user_sid); sid_split_rid(&domain_sid, &user_rid); diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index 5e82ecd0cae..bfae47ef250 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -3207,8 +3207,14 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, } else { /* update the UNIX password */ if (lp_unix_password_sync() ) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { + struct passwd *passwd; + if (pdb_get_username(pwd) == NULL) { + DEBUG(1, ("chgpasswd: User without name???\n")); + TALLOC_FREE(pwd); + return NT_STATUS_ACCESS_DENIED; + } + + if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3273,8 +3279,15 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { + struct passwd *passwd; + + if (pdb_get_username(pwd) == NULL) { + DEBUG(1, ("chgpasswd: User without name???\n")); + TALLOC_FREE(pwd); + return False; + } + + if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3800,7 +3813,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); - if ((num_members!=0) && (rid==NULL)) + if ((num_members!=0) && (attr==NULL)) return NT_STATUS_NO_MEMORY; for (i=0; i<num_members; i++) diff --git a/source/smbd/message.c b/source/smbd/message.c index fd28df0d801..31dab458443 100644 --- a/source/smbd/message.c +++ b/source/smbd/message.c @@ -34,211 +34,210 @@ static fstring msgfrom; static fstring msgto; /**************************************************************************** -deliver the message + Deliver the message. ****************************************************************************/ + static void msg_deliver(void) { - pstring name; - int i; - int fd; - char *msg; - int len; - ssize_t sz; - - if (! (*lp_msg_command())) - { - DEBUG(1,("no messaging command specified\n")); - msgpos = 0; - return; - } - - /* put it in a temporary file */ - slprintf(name,sizeof(name)-1, "%s/msg.XXXXXX",tmpdir()); - fd = smb_mkstemp(name); - - if (fd == -1) { - DEBUG(1,("can't open message file %s\n",name)); - return; - } - - /* - * Incoming message is in DOS codepage format. Convert to UNIX. - */ + pstring name; + int i; + int fd; + char *msg; + int len; + ssize_t sz; + + if (! (*lp_msg_command())) { + DEBUG(1,("no messaging command specified\n")); + msgpos = 0; + return; + } + + /* put it in a temporary file */ + slprintf(name,sizeof(name)-1, "%s/msg.XXXXXX",tmpdir()); + fd = smb_mkstemp(name); + + if (fd == -1) { + DEBUG(1,("can't open message file %s\n",name)); + return; + } + + /* + * Incoming message is in DOS codepage format. Convert to UNIX. + */ - if ((len = (int)convert_string_allocate(NULL,CH_DOS, CH_UNIX, msgbuf, msgpos, (void **)(void *)&msg, True)) < 0 || !msg) { - DEBUG(3,("Conversion failed, delivering message in DOS codepage format\n")); - for (i = 0; i < msgpos;) { - if (msgbuf[i] == '\r' && i < (msgpos-1) && msgbuf[i+1] == '\n') { - i++; continue; - } - sz = write(fd, &msgbuf[i++], 1); - if ( sz != 1 ) { - DEBUG(0,("Write error to fd %d: %ld(%d)\n",fd, (long)sz, errno )); - } - } - } else { - for (i = 0; i < len;) { - if (msg[i] == '\r' && i < (len-1) && msg[i+1] == '\n') { - i++; continue; - } - sz = write(fd, &msg[i++],1); - if ( sz != 1 ) { - DEBUG(0,("Write error to fd %d: %ld(%d)\n",fd, (long)sz, errno )); - } - } - SAFE_FREE(msg); - } - close(fd); - - - /* run the command */ - if (*lp_msg_command()) - { - fstring alpha_msgfrom; - fstring alpha_msgto; - pstring s; - - pstrcpy(s,lp_msg_command()); - pstring_sub(s,"%f",alpha_strcpy(alpha_msgfrom,msgfrom,NULL,sizeof(alpha_msgfrom))); - pstring_sub(s,"%t",alpha_strcpy(alpha_msgto,msgto,NULL,sizeof(alpha_msgto))); - standard_sub_basic(current_user_info.smb_name, s, sizeof(s)); - pstring_sub(s,"%s",name); - smbrun(s,NULL); - } - - msgpos = 0; + if ((len = (int)convert_string_allocate(NULL,CH_DOS, CH_UNIX, msgbuf, msgpos, (void **)(void *)&msg, True)) < 0 || !msg) { + DEBUG(3,("Conversion failed, delivering message in DOS codepage format\n")); + for (i = 0; i < msgpos;) { + if (msgbuf[i] == '\r' && i < (msgpos-1) && msgbuf[i+1] == '\n') { + i++; + continue; + } + sz = write(fd, &msgbuf[i++], 1); + if ( sz != 1 ) { + DEBUG(0,("Write error to fd %d: %ld(%d)\n",fd, (long)sz, errno )); + } + } + } else { + for (i = 0; i < len;) { + if (msg[i] == '\r' && i < (len-1) && msg[i+1] == '\n') { + i++; + continue; + } + sz = write(fd, &msg[i++],1); + if ( sz != 1 ) { + DEBUG(0,("Write error to fd %d: %ld(%d)\n",fd, (long)sz, errno )); + } + } + SAFE_FREE(msg); + } + close(fd); + + /* run the command */ + if (*lp_msg_command()) { + fstring alpha_msgfrom; + fstring alpha_msgto; + pstring s; + + pstrcpy(s,lp_msg_command()); + pstring_sub(s,"%f",alpha_strcpy(alpha_msgfrom,msgfrom,NULL,sizeof(alpha_msgfrom))); + pstring_sub(s,"%t",alpha_strcpy(alpha_msgto,msgto,NULL,sizeof(alpha_msgto))); + standard_sub_basic(current_user_info.smb_name, s, sizeof(s)); + pstring_sub(s,"%s",name); + smbrun(s,NULL); + } + + msgpos = 0; } - - /**************************************************************************** - reply to a sends + Reply to a sends. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ -int reply_sends(connection_struct *conn, - char *inbuf,char *outbuf, int dum_size, int dum_buffsize) + +int reply_sends(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - int len; - char *msg; - int outsize = 0; - char *p; + int len; + char *msg; + int outsize = 0; + char *p; - START_PROFILE(SMBsends); + START_PROFILE(SMBsends); - msgpos = 0; + msgpos = 0; - if (! (*lp_msg_command())) { - END_PROFILE(SMBsends); - return(ERROR_DOS(ERRSRV,ERRmsgoff)); - } + if (! (*lp_msg_command())) { + END_PROFILE(SMBsends); + return(ERROR_DOS(ERRSRV,ERRmsgoff)); + } - outsize = set_message(outbuf,0,0,True); + outsize = set_message(outbuf,0,0,True); - p = smb_buf(inbuf)+1; - p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_ASCII|STR_TERMINATE) + 1; - p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_ASCII|STR_TERMINATE) + 1; + p = smb_buf(inbuf)+1; + p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_ASCII|STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_ASCII|STR_TERMINATE) + 1; - msg = p; + msg = p; - len = SVAL(msg,0); - len = MIN(len,sizeof(msgbuf)-msgpos); + len = SVAL(msg,0); + len = MIN(len,sizeof(msgbuf)-msgpos); - memset(msgbuf,'\0',sizeof(msgbuf)); + memset(msgbuf,'\0',sizeof(msgbuf)); - memcpy(&msgbuf[msgpos],msg+2,len); - msgpos += len; + memcpy(&msgbuf[msgpos],msg+2,len); + msgpos += len; - msg_deliver(); + msg_deliver(); - END_PROFILE(SMBsends); - return(outsize); + END_PROFILE(SMBsends); + return(outsize); } - /**************************************************************************** - reply to a sendstrt + Reply to a sendstrt. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ -int reply_sendstrt(connection_struct *conn, - char *inbuf,char *outbuf, int dum_size, int dum_buffsize) + +int reply_sendstrt(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - int outsize = 0; - char *p; + int outsize = 0; + char *p; - START_PROFILE(SMBsendstrt); + START_PROFILE(SMBsendstrt); - if (! (*lp_msg_command())) { - END_PROFILE(SMBsendstrt); - return(ERROR_DOS(ERRSRV,ERRmsgoff)); - } + if (! (*lp_msg_command())) { + END_PROFILE(SMBsendstrt); + return(ERROR_DOS(ERRSRV,ERRmsgoff)); + } - outsize = set_message(outbuf,1,0,True); + outsize = set_message(outbuf,1,0,True); - memset(msgbuf,'\0',sizeof(msgbuf)); - msgpos = 0; + memset(msgbuf,'\0',sizeof(msgbuf)); + msgpos = 0; - p = smb_buf(inbuf)+1; - p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_ASCII|STR_TERMINATE) + 1; - p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_ASCII|STR_TERMINATE) + 1; + p = smb_buf(inbuf)+1; + p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_ASCII|STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_ASCII|STR_TERMINATE) + 1; - DEBUG( 3, ( "SMBsendstrt (from %s to %s)\n", msgfrom, msgto ) ); + DEBUG( 3, ( "SMBsendstrt (from %s to %s)\n", msgfrom, msgto ) ); - END_PROFILE(SMBsendstrt); - return(outsize); + END_PROFILE(SMBsendstrt); + return(outsize); } - /**************************************************************************** - reply to a sendtxt + Reply to a sendtxt. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ -int reply_sendtxt(connection_struct *conn, - char *inbuf,char *outbuf, int dum_size, int dum_buffsize) + +int reply_sendtxt(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - int len; - int outsize = 0; - char *msg; - START_PROFILE(SMBsendtxt); + int len; + int outsize = 0; + char *msg; + START_PROFILE(SMBsendtxt); - if (! (*lp_msg_command())) { - END_PROFILE(SMBsendtxt); - return(ERROR_DOS(ERRSRV,ERRmsgoff)); - } + if (! (*lp_msg_command())) { + END_PROFILE(SMBsendtxt); + return(ERROR_DOS(ERRSRV,ERRmsgoff)); + } - outsize = set_message(outbuf,0,0,True); + outsize = set_message(outbuf,0,0,True); - msg = smb_buf(inbuf) + 1; + msg = smb_buf(inbuf) + 1; - len = SVAL(msg,0); - len = MIN(len,sizeof(msgbuf)-msgpos); + len = SVAL(msg,0); + len = MIN(len,sizeof(msgbuf)-msgpos); - memcpy(&msgbuf[msgpos],msg+2,len); - msgpos += len; + memcpy(&msgbuf[msgpos],msg+2,len); + msgpos += len; - DEBUG( 3, ( "SMBsendtxt\n" ) ); + DEBUG( 3, ( "SMBsendtxt\n" ) ); - END_PROFILE(SMBsendtxt); - return(outsize); + END_PROFILE(SMBsendtxt); + return(outsize); } - /**************************************************************************** - reply to a sendend + Reply to a sendend. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ -int reply_sendend(connection_struct *conn, - char *inbuf,char *outbuf, int dum_size, int dum_buffsize) + +int reply_sendend(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - int outsize = 0; - START_PROFILE(SMBsendend); + int outsize = 0; + START_PROFILE(SMBsendend); - if (! (*lp_msg_command())) { - END_PROFILE(SMBsendend); - return(ERROR_DOS(ERRSRV,ERRmsgoff)); - } + if (! (*lp_msg_command())) { + END_PROFILE(SMBsendend); + return(ERROR_DOS(ERRSRV,ERRmsgoff)); + } - outsize = set_message(outbuf,0,0,True); + outsize = set_message(outbuf,0,0,True); - DEBUG(3,("SMBsendend\n")); + DEBUG(3,("SMBsendend\n")); - msg_deliver(); + msg_deliver(); - END_PROFILE(SMBsendend); - return(outsize); + END_PROFILE(SMBsendend); + return(outsize); } diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c index 5d2ed6a10d1..3347008cdf8 100644 --- a/source/smbd/negprot.c +++ b/source/smbd/negprot.c @@ -456,6 +456,7 @@ static const struct { /**************************************************************************** Reply to a negprot. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_negprot(connection_struct *conn, diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index e397139d2ef..aa6f79e1657 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -1545,6 +1545,7 @@ static int call_nt_transact_create(connection_struct *conn, char *inbuf, char *o /**************************************************************************** Reply to a NT CANCEL request. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_ntcancel(connection_struct *conn, diff --git a/source/smbd/process.c b/source/smbd/process.c index 440d0ac0a50..b3ce49360d8 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -567,10 +567,10 @@ are used by some brain-dead clients when printing, and I don't want to force write permissions on print services. */ #define AS_USER (1<<0) -#define NEED_WRITE (1<<1) +#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */ #define TIME_INIT (1<<2) -#define CAN_IPC (1<<3) -#define AS_GUEST (1<<5) +#define CAN_IPC (1<<3) /* Must be paired with AS_USER */ +#define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */ #define DO_CHDIR (1<<6) /* @@ -932,48 +932,46 @@ static int switch_message(int type,char *inbuf,char *outbuf,int size,int bufsize user_struct *vuser = NULL; last_session_tag = session_tag; - if(session_tag != UID_FIELD_INVALID) + if(session_tag != UID_FIELD_INVALID) { vuser = get_valid_user_struct(session_tag); - if(vuser != NULL) - set_current_user_info(&vuser->user); - } - - /* does this protocol need to be run as root? */ - if (!(flags & AS_USER)) - change_to_root_user(); - - /* does this protocol need a valid tree connection? */ - if ((flags & AS_USER) && !conn) { - /* Amazingly, the error code depends on the command (from Samba4). */ - if (type == SMBntcreateX) { - return ERROR_NT(NT_STATUS_INVALID_HANDLE); - } else { - return ERROR_DOS(ERRSRV, ERRinvnid); + if (vuser) { + set_current_user_info(&vuser->user); + } } } + /* Does this call need to be run as the connected user? */ + if (flags & AS_USER) { + + /* Does this call need a valid tree connection? */ + if (!conn) { + /* Amazingly, the error code depends on the command (from Samba4). */ + if (type == SMBntcreateX) { + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } else { + return ERROR_DOS(ERRSRV, ERRinvnid); + } + } - /* does this protocol need to be run as the connected user? */ - if ((flags & AS_USER) && !change_to_user(conn,session_tag)) { - if (flags & AS_GUEST) - flags &= ~AS_USER; - else + if (!change_to_user(conn,session_tag)) { return(ERROR_FORCE_DOS(ERRSRV,ERRbaduid)); - } + } - /* this code is to work around a bug is MS client 3 without - introducing a security hole - it needs to be able to do - print queue checks as guest if it isn't logged in properly */ - if (flags & AS_USER) - flags &= ~AS_GUEST; + /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */ - /* does it need write permission? */ - if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) - return(ERROR_DOS(ERRSRV,ERRaccess)); + /* Does it need write permission? */ + if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) { + return(ERROR_DOS(ERRSRV,ERRaccess)); + } - /* ipc services are limited */ - if (IS_IPC(conn) && (flags & AS_USER) && !(flags & CAN_IPC)) - return(ERROR_DOS(ERRSRV,ERRaccess)); + /* IPC services are limited */ + if (IS_IPC(conn) && !(flags & CAN_IPC)) { + return(ERROR_DOS(ERRSRV,ERRaccess)); + } + } else { + /* This call needs to be run as root */ + change_to_root_user(); + } /* load service specific parameters */ if (conn) { @@ -985,8 +983,9 @@ static int switch_message(int type,char *inbuf,char *outbuf,int size,int bufsize /* does this protocol need to be run as guest? */ if ((flags & AS_GUEST) && (!change_to_guest() || - !check_access(smbd_server_fd(), lp_hostsallow(-1), lp_hostsdeny(-1)))) + !check_access(smbd_server_fd(), lp_hostsallow(-1), lp_hostsdeny(-1)))) { return(ERROR_DOS(ERRSRV,ERRaccess)); + } current_inbuf = inbuf; /* In case we need to defer this message in open... */ outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize); @@ -997,7 +996,6 @@ static int switch_message(int type,char *inbuf,char *outbuf,int size,int bufsize return(outsize); } - /**************************************************************************** Construct a reply to the incoming packet. ****************************************************************************/ diff --git a/source/smbd/reply.c b/source/smbd/reply.c index d333ebf32eb..e68e8662d74 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -547,6 +547,7 @@ int reply_special(char *inbuf,char *outbuf) /**************************************************************************** Reply to a tcon. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_tcon(connection_struct *conn, @@ -605,6 +606,7 @@ int reply_tcon(connection_struct *conn, /**************************************************************************** Reply to a tcon and X. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) @@ -738,6 +740,7 @@ int reply_unknown(char *inbuf,char *outbuf) /**************************************************************************** Reply to an ioctl. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_ioctl(connection_struct *conn, @@ -1591,6 +1594,7 @@ int reply_open_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt /**************************************************************************** Reply to a SMBulogoffX. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_ulogoffX(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) @@ -3236,6 +3240,7 @@ int reply_flush(connection_struct *conn, char *inbuf,char *outbuf, int size, int /**************************************************************************** Reply to a exit. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_exit(connection_struct *conn, @@ -3511,6 +3516,7 @@ int reply_unlock(connection_struct *conn, char *inbuf,char *outbuf, int size, /**************************************************************************** Reply to a tdis. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_tdis(connection_struct *conn, @@ -3538,6 +3544,7 @@ int reply_tdis(connection_struct *conn, /**************************************************************************** Reply to a echo. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ int reply_echo(connection_struct *conn, diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c index 46acb20bdad..fb579707cae 100644 --- a/source/smbd/sesssetup.c +++ b/source/smbd/sesssetup.c @@ -635,6 +635,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, /**************************************************************************** Reply to a session setup command. + conn POINTER CAN BE NULL HERE ! ****************************************************************************/ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf, diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index 30d7b7be204..f29398c822c 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -858,7 +858,10 @@ static NTSTATUS rpc_user_rename_internals(const DOM_SID *domain_sid, goto done; } - names = TALLOC_ARRAY(mem_ctx, const char *, num_names); + if ((names = TALLOC_ARRAY(mem_ctx, const char *, num_names)) == NULL) { + result = NT_STATUS_NO_MEMORY; + goto done; + } names[0] = old_name; result = rpccli_samr_lookup_names(pipe_hnd, mem_ctx, &domain_pol, flags, num_names, names, @@ -1141,7 +1144,10 @@ static NTSTATUS rpc_user_info_internals(const DOM_SID *domain_sid, /* Look up rids */ if (num_rids) { - rids = TALLOC_ARRAY(mem_ctx, uint32, num_rids); + if ((rids = TALLOC_ARRAY(mem_ctx, uint32, num_rids)) == NULL) { + result = NT_STATUS_NO_MEMORY; + goto done; + } for (i = 0; i < num_rids; i++) rids[i] = user_gids[i].g_rid; @@ -3008,13 +3014,17 @@ static NTSTATUS rpc_share_add_internals(const DOM_SID *domain_sid, const char **argv) { WERROR result; - char *sharename=talloc_strdup(mem_ctx, argv[0]); + char *sharename; char *path; uint32 type = STYPE_DISKTREE; /* only allow disk shares to be added */ uint32 num_users=0, perms=0; char *password=NULL; /* don't allow a share password */ uint32 level = 2; + if ((sharename = talloc_strdup(mem_ctx, argv[0])) == NULL) { + return NT_STATUS_NO_MEMORY; + } + path = strchr(sharename, '='); if (!path) return NT_STATUS_UNSUCCESSFUL; @@ -3152,6 +3162,10 @@ static WERROR get_share_info(struct rpc_pipe_client *pipe_hnd, SRV_SHARE_INFO_1 *info1; ctr->share.info1 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_1, 1); + if (ctr->share.info1 == NULL) { + result = WERR_NOMEM; + goto done; + } info1 = ctr->share.info1; memset(ctr->share.info1, 0, sizeof(SRV_SHARE_INFO_1)); @@ -3176,6 +3190,10 @@ static WERROR get_share_info(struct rpc_pipe_client *pipe_hnd, SRV_SHARE_INFO_2 *info2; ctr->share.info2 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_2, 1); + if (ctr->share.info2 == NULL) { + result = WERR_NOMEM; + goto done; + } info2 = ctr->share.info2; memset(ctr->share.info2, 0, sizeof(SRV_SHARE_INFO_2)); @@ -3208,6 +3226,10 @@ static WERROR get_share_info(struct rpc_pipe_client *pipe_hnd, SRV_SHARE_INFO_502 *info502; ctr->share.info502 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_502, 1); + if (ctr->share.info502 == NULL) { + result = WERR_NOMEM; + goto done; + } info502 = ctr->share.info502; memset(ctr->share.info502, 0, sizeof(SRV_SHARE_INFO_502)); @@ -5461,7 +5483,9 @@ static NTSTATUS rpc_trustdom_del_internals(const DOM_SID *domain_sid, strupper_m(acct_name); - names = TALLOC_ARRAY(mem_ctx, const char *, 1); + if ((names = TALLOC_ARRAY(mem_ctx, const char *, 1)) == NULL) { + return NT_STATUS_NO_MEMORY; + } names[0] = acct_name; diff --git a/source/utils/net_rpc_audit.c b/source/utils/net_rpc_audit.c index 5c81fe24d09..981dc93fdd7 100644 --- a/source/utils/net_rpc_audit.c +++ b/source/utils/net_rpc_audit.c @@ -44,6 +44,13 @@ static void print_auditing_category(const char *policy, const char *value) fstring padding; int pad_len, col_len = 30; + if (policy == NULL) { + policy = "Unknown"; + } + if (value == NULL) { + value = "Invalid"; + } + /* calculate padding space for d_printf to look nicer */ pad_len = col_len - strlen(policy); padding[pad_len] = 0; diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c index 2c55b0e9462..d23bd767519 100644 --- a/source/utils/net_rpc_join.c +++ b/source/utils/net_rpc_join.c @@ -222,7 +222,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) "could not open domain"); /* Create domain user */ - acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); + if ((acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname())) == NULL) { + result = NT_STATUS_NO_MEMORY; + goto done; + } strlower_m(acct_name); const_acct_name = acct_name; diff --git a/source/utils/net_rpc_registry.c b/source/utils/net_rpc_registry.c index 33d5310698e..10ba28e0239 100644 --- a/source/utils/net_rpc_registry.c +++ b/source/utils/net_rpc_registry.c @@ -408,7 +408,10 @@ static int rpc_registry_dump( int argc, const char **argv ) /* get the root of the registry file */ - nk = regfio_rootkey( registry ); + if ((nk = regfio_rootkey( registry )) == NULL) { + d_fprintf(stderr, "Could not get rootkey\n"); + return 1; + } d_printf("[%s]\n", nk->keyname); dump_values( nk ); d_printf("\n"); @@ -455,7 +458,10 @@ static int rpc_registry_copy( int argc, const char **argv ) /* get the root of the registry file */ - nk = regfio_rootkey( infile ); + if ((nk = regfio_rootkey( infile )) == NULL) { + d_fprintf(stderr, "Could not get rootkey\n"); + goto out_close_infile; + } d_printf("RootKey: [%s]\n", nk->keyname); write_registry_tree( infile, nk, NULL, outfile, "" ); diff --git a/source/utils/net_rpc_samsync.c b/source/utils/net_rpc_samsync.c index ef9a0627b58..85b086a02ff 100644 --- a/source/utils/net_rpc_samsync.c +++ b/source/utils/net_rpc_samsync.c @@ -574,6 +574,10 @@ static NTSTATUS fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta) } } + if (pdb_get_group_sid(sam_account) == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + group_sid = *pdb_get_group_sid(sam_account); if (!pdb_getgrsid(&map, group_sid)) { @@ -694,7 +698,11 @@ static NTSTATUS fetch_group_mem_info(uint32 rid, SAM_GROUP_MEM_INFO *delta) return NT_STATUS_NO_MEMORY; } - nt_members = TALLOC_ZERO_ARRAY(t, char *, delta->num_members); + if ((nt_members = TALLOC_ZERO_ARRAY(t, char *, delta->num_members)) == NULL) { + DEBUG(0, ("talloc failed\n")); + talloc_free(t); + return NT_STATUS_NO_MEMORY; + } for (i=0; i<delta->num_members; i++) { struct samu *member = NULL; diff --git a/source/utils/net_sam.c b/source/utils/net_sam.c index 605d4bbc6bf..654c9ec5b2a 100644 --- a/source/utils/net_sam.c +++ b/source/utils/net_sam.c @@ -840,7 +840,11 @@ static int net_sam_provision(int argc, const char **argv) return -1; } - ldap_bk = talloc_strdup(tc, lp_passdb_backend()); + if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) { + d_fprintf(stderr, "talloc failed\n"); + talloc_free(tc); + return -1; + } p = strchr(ldap_bk, ':'); if (p) { *p = 0; @@ -1081,7 +1085,10 @@ doma_done: d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n"); goto done; } - pwd = talloc(tc, struct passwd); + if ((pwd = talloc(tc, struct passwd)) == NULL) { + d_fprintf(stderr, "talloc failed\n"); + goto done; + } pwd->pw_name = talloc_strdup(pwd, lp_guestaccount()); if (!winbind_allocate_uid(&(pwd->pw_uid))) { d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n"); diff --git a/source/utils/net_usershare.c b/source/utils/net_usershare.c index 253416c5cb0..09ef8bd97f9 100644 --- a/source/utils/net_usershare.c +++ b/source/utils/net_usershare.c @@ -147,7 +147,10 @@ static int net_usershare_delete(int argc, const char **argv) return net_usershare_delete_usage(argc, argv); } - sharename = strdup_lower(argv[0]); + if ((sharename = strdup_lower(argv[0])) == NULL) { + d_fprintf(stderr, "strdup failed\n"); + return -1; + } if (!validate_net_name(sharename, INVALID_SHARENAME_CHARS, strlen(sharename))) { d_fprintf(stderr, "net usershare delete: share name %s contains " @@ -641,7 +644,12 @@ static int net_usershare_add(int argc, const char **argv) } /* Get the name */ - name = talloc_strndup(ctx, pacl, pcolon - pacl); + if ((name = talloc_strndup(ctx, pacl, pcolon - pacl)) == NULL) { + d_fprintf(stderr, "talloc_strndup failed\n"); + talloc_destroy(ctx); + SAFE_FREE(sharename); + return -1; + } if (!string_to_sid(&sid, name)) { /* Convert to a SID */ NTSTATUS ntstatus = net_lookup_sid_from_name(ctx, name, &sid); diff --git a/source/utils/ntlm_auth_diagnostics.c b/source/utils/ntlm_auth_diagnostics.c index 00149db9e24..c8ea966a558 100644 --- a/source/utils/ntlm_auth_diagnostics.c +++ b/source/utils/ntlm_auth_diagnostics.c @@ -464,7 +464,10 @@ static BOOL test_plaintext(enum ntlm_break break_which) nt_response.length = strlen_w(((void *)nt_response.data))*sizeof(smb_ucs2_t); - password = strdup_upper(opt_password); + if ((password = strdup_upper(opt_password)) == NULL) { + DEBUG(0, ("strdup_upper failed!\n")); + exit(1); + } if ((convert_string_allocate(NULL, CH_UNIX, CH_DOS, password, diff --git a/source/utils/profiles.c b/source/utils/profiles.c index 9629dffaea2..d40a2deea3b 100644 --- a/source/utils/profiles.c +++ b/source/utils/profiles.c @@ -213,7 +213,10 @@ int main( int argc, char *argv[] ) /* actually do the update now */ - nk = regfio_rootkey( infile ); + if ((nk = regfio_rootkey( infile )) == NULL) { + fprintf(stderr, "Could not get rootkey\n"); + exit(3); + } if ( !copy_registry_tree( infile, nk, NULL, outfile, "" ) ) { fprintf(stderr, "Failed to write updated registry file!\n"); diff --git a/source/utils/smbcacls.c b/source/utils/smbcacls.c index 1c34cd32a66..b31fd95f7ab 100644 --- a/source/utils/smbcacls.c +++ b/source/utils/smbcacls.c @@ -360,11 +360,12 @@ static BOOL add_ace(SEC_ACL **the_acl, SEC_ACE *ace) SEC_ACL *new_ace; SEC_ACE *aces; if (! *the_acl) { - (*the_acl) = make_sec_acl(ctx, 3, 1, ace); - return True; + return (((*the_acl) = make_sec_acl(ctx, 3, 1, ace)) != NULL); } - aces = SMB_CALLOC_ARRAY(SEC_ACE, 1+(*the_acl)->num_aces); + if (!(aces = SMB_CALLOC_ARRAY(SEC_ACE, 1+(*the_acl)->num_aces))) { + return False; + } memcpy(aces, (*the_acl)->ace, (*the_acl)->num_aces * sizeof(SEC_ACE)); memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE)); new_ace = make_sec_acl(ctx,(*the_acl)->revision,1+(*the_acl)->num_aces, aces); |