Fix various issues in smblib

* Crash on NTLM handshakes without domain.

* Memory leak on several internal DC connection failures

* Potential buffer overruns on specially crafted tokens

  Detected by Coverity Scan. Issues 740356, 740406, 740428,
   740476, 740477, 740478

diff --git a/lib/smblib/smblib.c b/lib/smblib/smblib.c
index 6c1243322399c3786d9807eae50fb9749d1babbf..a83c978671b0a02c428ec78b905d6265606b9f99 100644 (file)
--- a/lib/smblib/smblib.c
+++ b/lib/smblib/smblib.c
@@ -120,8 +120,10 @@ SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle,
     strcpy(con -> password, "");
     strcpy(con -> sock_options, "");
     strcpy(con -> address, "");
-    strcpy(con -> desthost, server);
-    strcpy(con -> PDomain, NTdomain);
+    strncpy(con -> desthost, server, sizeof(con->desthost));
+    con->desthost[sizeof(con->desthost) - 1] = '\0';
+    strncpy(con -> PDomain, NTdomain, sizeof(con->PDomain));
+    con->PDomain[sizeof(con->PDomain) - 1] = '\0';
     strcpy(con -> OSName, SMBLIB_DEFAULT_OSNAME);
     strcpy(con -> LMType, SMBLIB_DEFAULT_LMTYPE);
     con -> first_tree = con -> last_tree = NULL;
@@ -213,9 +215,12 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle,
 
     /* Init some things ... */
 
-    strcpy(con -> service, service);
-    strcpy(con -> username, username);
-    strcpy(con -> password, password);
+    strncpy(con -> service, service, sizeof(con -> service));
+    con -> service[sizeof(con -> service) - 1] = '\0';
+    strncpy(con -> username, username, sizeof(con -> username));
+    con -> username[sizeof(con -> username) - 1] = '\0';
+    strncpy(con -> password, password, sizeof(con -> password));
+    con -> password[sizeof(con -> password) - 1] = '\0';
     strcpy(con -> sock_options, "");
     strcpy(con -> address, "");
     strcpy(con -> PDomain, SMBLIB_DEFAULT_DOMAIN);
@@ -236,8 +241,17 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle,
 
     /* Now figure out the host portion of the service */
 
-    strcpy(temp, service);
+    strncpy(temp, service, sizeof(temp));
+    temp[sizeof(temp) - 1] = '\0';
     host = strtok(temp, "/\\");     /* Separate host name portion */
+    if (!host) {
+        if (Con_Handle == NULL) {
+            free(con);
+            Con_Handle = NULL;
+        }
+        SMBlib_errno = -SMBlibE_CallFailed;
+        return NULL;
+    }
     strcpy(con -> desthost, host);
 
     /* Now connect to the remote end, but first upper case the name of the
@@ -280,9 +294,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle,
 
     if (SMB_Negotiate(con, SMB_Prots_Restrict) < 0) {
 
-        /* Hmmm what should we do here ... We have a connection, but could not
-           negotiate ...                                                      */
-
+        if (Con_Handle == NULL) {
+            free(con);
+        }
+        SMBlib_errno = -SMBlibE_NegNoProt;
         return NULL;
 
     }
@@ -291,6 +306,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle,
 
     if ((*tree = SMB_TreeConnect(con, NULL, service, password, "A:")) == NULL) {
 
+        if (Con_Handle == NULL) {
+            free(con);
+        }
+        SMBlib_errno = -SMBlibE_BAD;
         return NULL;
 
     }
@@ -325,7 +344,8 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName,
         pass_len = 24;
         memcpy(pword, PassWord, 24);
     } else {
-        strcpy(pword, PassWord);
+        strncpy(pword, PassWord, sizeof(pword));
+        pword[sizeof(pword) - 1] = '\0';
 #ifdef PAM_SMB_ENC_PASS
         if (Con_Handle->encrypt_passwords) {
             pass_len = 24;
@@ -391,7 +411,7 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName,
 
         p = p + 1;
 
-        if (NtDomain != NULL) {
+        if (NtDomain == NULL) {
             strcpy(p, Con_Handle -> PDomain);
             p = p + strlen(Con_Handle -> PDomain);
         } else {