samba/patches/samba-3.0.24-heap_overflow.patch

Index: samba-3.0.24/source/include/smb_macros.h
===================================================================
--- samba-3.0.24.orig/source/include/smb_macros.h	2007-05-10 09:47:34.000000000 -0500
+++ samba-3.0.24/source/include/smb_macros.h	2007-05-10 09:48:03.000000000 -0500
@@ -310,7 +310,6 @@
 #if defined(PARANOID_MALLOC_CHECKER)
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
 
 /* Get medieval on our ass about malloc.... */
 
@@ -354,7 +353,6 @@
 #define __location__ __FILE__ ":" __LINESTR__
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
 
 /* Regular malloc code. */
 
Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c	2007-05-10 09:47:28.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_dfs.c	2007-05-10 09:48:03.000000000 -0500
@@ -325,7 +325,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+			if (!v->stores)
+				return False;
 		}
 		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
 			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -447,7 +449,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+			if (!v->stores)
+				return False;
 		}
 		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
 			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -920,7 +924,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
@@ -986,7 +992,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
@@ -1052,7 +1060,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
@@ -1118,7 +1128,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
@@ -1184,7 +1196,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
@@ -1250,7 +1264,9 @@
 			return False;
 		
 		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
+			if (!v->s)
+				return False;
 		}
 		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
 			if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c	2007-05-10 09:47:14.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_lsa.c	2007-05-10 09:47:58.000000000 -0500
@@ -1349,12 +1349,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -1406,12 +1411,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -2759,7 +2769,7 @@
 
 static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
 {
-	uint32 i;
+	uint32 i, dummy;
 
 	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
 	depth++;
@@ -2767,7 +2777,7 @@
 	if(!prs_align(ps))
 		return False;
  
-	if(!prs_uint32("count", ps, depth, &out->count))
+	if(!prs_uint32("count", ps, depth, &dummy))
 		return False;
 	if(!prs_uint32("control", ps, depth, &out->control))
 		return False;
Index: samba-3.0.24/source/rpc_parse/parse_prs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c	2007-05-10 09:47:19.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_prs.c	2007-05-10 09:48:03.000000000 -0500
@@ -156,7 +156,7 @@
 {
 	char *ret = NULL;
 
-	if (size) {
+	if (size && count) {
 		/* We can't call the type-safe version here. */
 		ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
 	}
@@ -642,7 +642,7 @@
 		return True;
 
 	if (UNMARSHALLING(ps)) {
-		if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
+		if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
 			return False;
 	}
 
Index: samba-3.0.24/source/rpc_parse/parse_sec.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c	2007-05-10 09:47:22.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_sec.c	2007-05-10 09:48:01.000000000 -0500
@@ -122,7 +122,7 @@
  for you as it reads them.
 ********************************************************************/
 
-BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
+static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
 {
 	unsigned int i;
 	uint32 old_offset;
@@ -165,13 +165,10 @@
 		return False;
 
 	if (UNMARSHALLING(ps)) {
-		/*
-		 * Even if the num_aces is zero, allocate memory as there's a difference
-		 * between a non-present DACL (allow all access) and a DACL with no ACE's
-		 * (allow no access).
-		 */
-		if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
-			return False;
+		if (psa->num_aces) {
+			if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
+				return False;
+		}
 	}
 
 	for (i = 0; i < psa->num_aces; i++) {
Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c	2007-05-10 09:47:16.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_spoolss.c	2007-05-10 09:48:00.000000000 -0500
@@ -227,8 +227,13 @@
 	if(!prs_uint32("count2", ps, depth, &type->count2))
 		return False;
 	
-	if (type->count2 != type->count)
+	if (type->count2 != type->count) {
 		DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
+		return False;
+	}
+	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
+		return False;
+	}
 
 	/* parse the option type data */
 	for(i=0;i<type->count2;i++)

1	Index: samba-3.0.24/source/include/smb_macros.h
2	===================================================================
3	--- samba-3.0.24.orig/source/include/smb_macros.h 2007-05-10 09:47:34.000000000 -0500
4	+++ samba-3.0.24/source/include/smb_macros.h 2007-05-10 09:48:03.000000000 -0500
5	@@ -310,7 +310,6 @@
6	#if defined(PARANOID_MALLOC_CHECKER)
7
8	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
9	-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
10
11	/* Get medieval on our ass about malloc.... */
12
13	@@ -354,7 +353,6 @@
14	#define __location__ __FILE__ ":" __LINESTR__
15
16	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
17	-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
18
19	/* Regular malloc code. */
20
21	Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
22	===================================================================
23	--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-05-10 09:47:28.000000000 -0500
24	+++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-10 09:48:03.000000000 -0500
25	@@ -325,7 +325,9 @@
26	return False;
27
28	if (UNMARSHALLING(ps)) {
29	- v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);
30	+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
31	+ if (!v->stores)
32	+ return False;
33	}
34	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
35	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
36	@@ -447,7 +449,9 @@
37	return False;
38
39	if (UNMARSHALLING(ps)) {
40	- v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);
41	+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
42	+ if (!v->stores)
43	+ return False;
44	}
45	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
46	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
47	@@ -920,7 +924,9 @@
48	return False;
49
50	if (UNMARSHALLING(ps)) {
51	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
52	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
53	+ if (!v->s)
54	+ return False;
55	}
56	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
57	if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
58	@@ -986,7 +992,9 @@
59	return False;
60
61	if (UNMARSHALLING(ps)) {
62	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
63	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
64	+ if (!v->s)
65	+ return False;
66	}
67	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
68	if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
69	@@ -1052,7 +1060,9 @@
70	return False;
71
72	if (UNMARSHALLING(ps)) {
73	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
74	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
75	+ if (!v->s)
76	+ return False;
77	}
78	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
79	if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
80	@@ -1118,7 +1128,9 @@
81	return False;
82
83	if (UNMARSHALLING(ps)) {
84	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
85	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
86	+ if (!v->s)
87	+ return False;
88	}
89	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
90	if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
91	@@ -1184,7 +1196,9 @@
92	return False;
93
94	if (UNMARSHALLING(ps)) {
95	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
96	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
97	+ if (!v->s)
98	+ return False;
99	}
100	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
101	if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
102	@@ -1250,7 +1264,9 @@
103	return False;
104
105	if (UNMARSHALLING(ps)) {
106	- v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);
107	+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
108	+ if (!v->s)
109	+ return False;
110	}
111	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
112	if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
113	Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
114	===================================================================
115	--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:14.000000000 -0500
116	+++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:58.000000000 -0500
117	@@ -1349,12 +1349,17 @@
118	&trn->num_entries2))
119	return False;
120
121	+ if (trn->num_entries2 != trn->num_entries) {
122	+ /* RPC fault */
123	+ return False;
124	+ }
125	+
126	if (UNMARSHALLING(ps)) {
127	- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
128	+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
129	return False;
130	}
131
132	- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
133	+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
134	return False;
135	}
136	}
137	@@ -1406,12 +1411,17 @@
138	&trn->num_entries2))
139	return False;
140
141	+ if (trn->num_entries2 != trn->num_entries) {
142	+ /* RPC fault */
143	+ return False;
144	+ }
145	+
146	if (UNMARSHALLING(ps)) {
147	- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
148	+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
149	return False;
150	}
151
152	- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
153	+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
154	return False;
155	}
156	}
157	@@ -2759,7 +2769,7 @@
158
159	static BOOL lsa_io_privilege_set(const char desc, PRIVILEGE_SET out, prs_struct *ps, int depth)
160	{
161	- uint32 i;
162	+ uint32 i, dummy;
163
164	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
165	depth++;
166	@@ -2767,7 +2777,7 @@
167	if(!prs_align(ps))
168	return False;
169
170	- if(!prs_uint32("count", ps, depth, &out->count))
171	+ if(!prs_uint32("count", ps, depth, &dummy))
172	return False;
173	if(!prs_uint32("control", ps, depth, &out->control))
174	return False;
175	Index: samba-3.0.24/source/rpc_parse/parse_prs.c
176	===================================================================
177	--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-10 09:47:19.000000000 -0500
178	+++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-10 09:48:03.000000000 -0500
179	@@ -156,7 +156,7 @@
180	{
181	char *ret = NULL;
182
183	- if (size) {
184	+ if (size && count) {
185	/* We can't call the type-safe version here. */
186	ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
187	}
188	@@ -642,7 +642,7 @@
189	return True;
190
191	if (UNMARSHALLING(ps)) {
192	- if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
193	+ if ( !(data = (void )PRS_ALLOC_MEM(ps, char, data_size)) )
194	return False;
195	}
196
197	Index: samba-3.0.24/source/rpc_parse/parse_sec.c
198	===================================================================
199	--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2007-05-10 09:47:22.000000000 -0500
200	+++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-10 09:48:01.000000000 -0500
201	@@ -122,7 +122,7 @@
202	for you as it reads them.
203	********************************************************************/
204
205	-BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)
206	+static BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)
207	{
208	unsigned int i;
209	uint32 old_offset;
210	@@ -165,13 +165,10 @@
211	return False;
212
213	if (UNMARSHALLING(ps)) {
214	- /*
215	- * Even if the num_aces is zero, allocate memory as there's a difference
216	- * between a non-present DACL (allow all access) and a DACL with no ACE's
217	- * (allow no access).
218	- */
219	- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
220	- return False;
221	+ if (psa->num_aces) {
222	+ if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
223	+ return False;
224	+ }
225	}
226
227	for (i = 0; i < psa->num_aces; i++) {
228	Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
229	===================================================================
230	--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-05-10 09:47:16.000000000 -0500
231	+++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-10 09:48:00.000000000 -0500
232	@@ -227,8 +227,13 @@
233	if(!prs_uint32("count2", ps, depth, &type->count2))
234	return False;
235
236	- if (type->count2 != type->count)
237	+ if (type->count2 != type->count) {
238	DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
239	+ return False;
240	+ }
241	+ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
242	+ return False;
243	+ }
244
245	/* parse the option type data */
246	for(i=0;i<type->count2;i++)
247