samba/patches/samba-3.0.24-heap_overflow.patch

Index: samba-3.0.24/source/include/smb_macros.h
===================================================================
--- samba-3.0.24.orig/source/include/smb_macros.h	2007-05-10 09:47:34.000000000 -0500
+++ samba-3.0.24/source/include/smb_macros.h	2007-05-10 09:48:03.000000000 -0500
@@ -310,7 +310,6 @@
 #if defined(PARANOID_MALLOC_CHECKER)
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
 
 /* Get medieval on our ass about malloc.... */
 
@@ -354,7 +353,6 @@
 #define __location__ __FILE__ ":" __LINESTR__
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
 
 /* Regular malloc code. */
 
Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c	2007-05-10 09:47:28.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_dfs.c	2007-05-10 09:48:03.000000000 -0500
@@ -325,7 +325,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+			if (!v->stores)
+				return False;
 		}
 		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
 			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -447,7 +449,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+			if (!v->stores)
+				return False;
 		}
 		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
 			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -920,7 +924,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
@@ -986,7 +992,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
@@ -1052,7 +1060,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
@@ -1118,7 +1128,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
@@ -1184,7 +1196,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
@@ -1250,7 +1264,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c	2007-05-10 09:47:14.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_lsa.c	2007-05-10 09:47:58.000000000 -0500
@@ -1349,12 +1349,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -1406,12 +1411,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -2759,7 +2769,7 @@
 
 static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
 {
-	uint32 i;
+	uint32 i, dummy;
 
 	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
 	depth++;
@@ -2767,7 +2777,7 @@
 	if(!prs_align(ps))
 		return False;
  
-	if(!prs_uint32("count", ps, depth, &out->count))
+	if(!prs_uint32("count", ps, depth, &dummy))
 		return False;
 	if(!prs_uint32("control", ps, depth, &out->control))
 		return False;
Index: samba-3.0.24/source/rpc_parse/parse_prs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c	2007-05-10 09:47:19.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_prs.c	2007-05-10 09:48:03.000000000 -0500
@@ -156,7 +156,7 @@
 {
 	char *ret = NULL;
 
-	if (size) {
+	if (size && count) {
 		/* We can't call the type-safe version here. */
 		ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
 	}
@@ -642,7 +642,7 @@
 		return True;
 
 	if (UNMARSHALLING(ps)) {
-		if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
+		if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
 			return False;
 	}
 
Index: samba-3.0.24/source/rpc_parse/parse_sec.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c	2007-05-10 09:47:22.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_sec.c	2007-05-10 09:48:01.000000000 -0500
@@ -122,7 +122,7 @@
  for you as it reads them.
 ********************************************************************/
 
-BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
+static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
 {
 	unsigned int i;
 	uint32 old_offset;
@@ -165,13 +165,10 @@
 		return False;
 
 	if (UNMARSHALLING(ps)) {
-		/*
-		 * Even if the num_aces is zero, allocate memory as there's a difference
-		 * between a non-present DACL (allow all access) and a DACL with no ACE's
-		 * (allow no access).
-		 */
-		if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
-			return False;
+		if (psa->num_aces) {
+			if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
+				return False;
+		}
 	}
 
 	for (i = 0; i < psa->num_aces; i++) {
Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c	2007-05-10 09:47:16.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_spoolss.c	2007-05-10 09:48:00.000000000 -0500
@@ -227,8 +227,13 @@
 	if(!prs_uint32("count2", ps, depth, &type->count2))
 		return False;
 	
-	if (type->count2 != type->count)
+	if (type->count2 != type->count) {
 		DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
+		return False;
+	}
+	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
+		return False;
+	}
 
 	/* parse the option type data */
 	for(i=0;i<type->count2;i++)

1	niro	201	Index: samba-3.0.24/source/include/smb_macros.h
2			===================================================================
3			--- samba-3.0.24.orig/source/include/smb_macros.h 2007-05-10 09:47:34.000000000 -0500
4			+++ samba-3.0.24/source/include/smb_macros.h 2007-05-10 09:48:03.000000000 -0500
5			@@ -310,7 +310,6 @@
6			#if defined(PARANOID_MALLOC_CHECKER)
7
8			#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
9			-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
10
11			/* Get medieval on our ass about malloc.... */
12
13			@@ -354,7 +353,6 @@
14			#define __location__ __FILE__ ":" __LINESTR__
15
16			#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
17			-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
18
19			/* Regular malloc code. */
20
21			Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
22			===================================================================
23			--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-05-10 09:47:28.000000000 -0500
24			+++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-10 09:48:03.000000000 -0500
25			@@ -325,7 +325,9 @@
26			return False;
27
28			if (UNMARSHALLING(ps)) {
29			- v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);
30			+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
31			+ if (!v->stores)
32			+ return False;
33			}
34			for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
35			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
36			@@ -447,7 +449,9 @@
37			return False;
38
39			if (UNMARSHALLING(ps)) {
40			- v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);
41			+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
42			+ if (!v->stores)
43			+ return False;
44			}
45			for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
46			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
47			@@ -920,7 +924,9 @@
48			return False;
49
50			if (UNMARSHALLING(ps)) {
51			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
52			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
53			+ if (!v->s)
54			+ return False;
55			}
56			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
57			if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
58			@@ -986,7 +992,9 @@
59			return False;
60
61			if (UNMARSHALLING(ps)) {
62			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
63			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
64			+ if (!v->s)
65			+ return False;
66			}
67			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
68			if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
69			@@ -1052,7 +1060,9 @@
70			return False;
71
72			if (UNMARSHALLING(ps)) {
73			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
74			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
75			+ if (!v->s)
76			+ return False;
77			}
78			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
79			if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
80			@@ -1118,7 +1128,9 @@
81			return False;
82
83			if (UNMARSHALLING(ps)) {
84			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
85			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
86			+ if (!v->s)
87			+ return False;
88			}
89			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
90			if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
91			@@ -1184,7 +1196,9 @@
92			return False;
93
94			if (UNMARSHALLING(ps)) {
95			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
96			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
97			+ if (!v->s)
98			+ return False;
99			}
100			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
101			if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
102			@@ -1250,7 +1264,9 @@
103			return False;
104
105			if (UNMARSHALLING(ps)) {
106			- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
107			+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
108			+ if (!v->s)
109			+ return False;
110			}
111			for (i_s_1=0; i_s_1<v->count;i_s_1++) {
112			if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
113			Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
114			===================================================================
115			--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:14.000000000 -0500
116			+++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:58.000000000 -0500
117			@@ -1349,12 +1349,17 @@
118			&trn->num_entries2))
119			return False;
120
121			+ if (trn->num_entries2 != trn->num_entries) {
122			+ /* RPC fault */
123			+ return False;
124			+ }
125			+
126			if (UNMARSHALLING(ps)) {
127			- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
128			+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
129			return False;
130			}
131
132			- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
133			+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
134			return False;
135			}
136			}
137			@@ -1406,12 +1411,17 @@
138			&trn->num_entries2))
139			return False;
140
141			+ if (trn->num_entries2 != trn->num_entries) {
142			+ /* RPC fault */
143			+ return False;
144			+ }
145			+
146			if (UNMARSHALLING(ps)) {
147			- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
148			+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
149			return False;
150			}
151
152			- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
153			+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
154			return False;
155			}
156			}
157			@@ -2759,7 +2769,7 @@
158
159			static BOOL lsa_io_privilege_set(const char desc, PRIVILEGE_SET out, prs_struct *ps, int depth)
160			{
161			- uint32 i;
162			+ uint32 i, dummy;
163
164			prs_debug(ps, depth, desc, "lsa_io_privilege_set");
165			depth++;
166			@@ -2767,7 +2777,7 @@
167			if(!prs_align(ps))
168			return False;
169
170			- if(!prs_uint32("count", ps, depth, &out->count))
171			+ if(!prs_uint32("count", ps, depth, &dummy))
172			return False;
173			if(!prs_uint32("control", ps, depth, &out->control))
174			return False;
175			Index: samba-3.0.24/source/rpc_parse/parse_prs.c
176			===================================================================
177			--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-10 09:47:19.000000000 -0500
178			+++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-10 09:48:03.000000000 -0500
179			@@ -156,7 +156,7 @@
180			{
181			char *ret = NULL;
182
183			- if (size) {
184			+ if (size && count) {
185			/* We can't call the type-safe version here. */
186			ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
187			}
188			@@ -642,7 +642,7 @@
189			return True;
190
191			if (UNMARSHALLING(ps)) {
192			- if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
193			+ if ( !(data = (void )PRS_ALLOC_MEM(ps, char, data_size)) )
194			return False;
195			}
196
197			Index: samba-3.0.24/source/rpc_parse/parse_sec.c
198			===================================================================
199			--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2007-05-10 09:47:22.000000000 -0500
200			+++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-10 09:48:01.000000000 -0500
201			@@ -122,7 +122,7 @@
202			for you as it reads them.
203			********************************************************************/
204
205			-BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)
206			+static BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)
207			{
208			unsigned int i;
209			uint32 old_offset;
210			@@ -165,13 +165,10 @@
211			return False;
212
213			if (UNMARSHALLING(ps)) {
214			- /*
215			- * Even if the num_aces is zero, allocate memory as there's a difference
216			- * between a non-present DACL (allow all access) and a DACL with no ACE's
217			- * (allow no access).
218			- */
219			- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
220			- return False;
221			+ if (psa->num_aces) {
222			+ if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
223			+ return False;
224			+ }
225			}
226
227			for (i = 0; i < psa->num_aces; i++) {
228			Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
229			===================================================================
230			--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-05-10 09:47:16.000000000 -0500
231			+++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-10 09:48:00.000000000 -0500
232			@@ -227,8 +227,13 @@
233			if(!prs_uint32("count2", ps, depth, &type->count2))
234			return False;
235
236			- if (type->count2 != type->count)
237			+ if (type->count2 != type->count) {
238			DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
239			+ return False;
240			+ }
241			+ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
242			+ return False;
243			+ }
244
245			/* parse the option type data */
246			for(i=0;i<type->count2;i++)
247