From: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com>
Date: Mon, 1 Sep 2025 08:50:39 +0000 (+0530)
Subject: s3:shadow_copy: CID 1449539 talloc_realloc and error handling
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0db0aff37cfe6c9aada202f58ce7cd8341b97479;p=thirdparty%2Fsamba.git

s3:shadow_copy: CID 1449539 talloc_realloc and error handling

- Replace TALLOC_REALLOC with talloc_realloc inorder to handle
  the integer overflow better.
- Rename tlabels as tmp_labels for clarity.
- Use shadow_copy_data->labels directly after successful
  reallocation instead of relying on a temporary variable.
- Ensure that  shadow_copy_data->num_volumes is set to 0 and
  shadow_copy_data->labels is freed on error paths inorder to
  address the potential resource leaks.

Fixes: CID_1449539

Signed-off-by: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Sep  6 10:34:27 UTC 2025 on atb-devel-224
---

diff --git a/source3/modules/vfs_shadow_copy.c b/source3/modules/vfs_shadow_copy.c
index c99d933a5d3..1796bd1573f 100644
--- a/source3/modules/vfs_shadow_copy.c
+++ b/source3/modules/vfs_shadow_copy.c
@@ -190,7 +190,7 @@ static int shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
 	shadow_copy_data->labels = NULL;
 
 	while (True) {
-		SHADOW_COPY_LABEL *tlabels;
+		SHADOW_COPY_LABEL *tmp_labels = NULL;
 		int ret;
 
 		dname = ReadDirName(dir_hnd, &talloced);
@@ -213,27 +213,32 @@ static int shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
 			continue;
 		}
 
-		tlabels = (SHADOW_COPY_LABEL *)TALLOC_REALLOC(shadow_copy_data,
-									shadow_copy_data->labels,
-									(shadow_copy_data->num_volumes+1)*sizeof(SHADOW_COPY_LABEL));
-		if (tlabels == NULL) {
+		tmp_labels = talloc_realloc(shadow_copy_data, shadow_copy_data->labels,
+				            SHADOW_COPY_LABEL, shadow_copy_data->num_volumes + 1);
+
+		if (tmp_labels == NULL) {
 			DEBUG(0,("shadow_copy_get_shadow_copy_data: Out of memory\n"));
+			shadow_copy_data->num_volumes = 0;
+			TALLOC_FREE(shadow_copy_data->labels);
 			TALLOC_FREE(talloced);
 			TALLOC_FREE(dir_hnd);
 			return -1;
 		}
 
-		ret = strlcpy(tlabels[shadow_copy_data->num_volumes], dname,
-			      sizeof(tlabels[shadow_copy_data->num_volumes]));
-		if (ret != sizeof(tlabels[shadow_copy_data->num_volumes]) - 1) {
+		shadow_copy_data->labels = tmp_labels;
+
+		ret = strlcpy(shadow_copy_data->labels[shadow_copy_data->num_volumes], dname,
+			      sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]));
+		if (ret != sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]) - 1) {
 			DBG_ERR("malformed label %s\n", dname);
+			shadow_copy_data->num_volumes = 0;
+			TALLOC_FREE(shadow_copy_data->labels);
 			TALLOC_FREE(talloced);
 			TALLOC_FREE(dir_hnd);
 			return -1;
 		}
 		shadow_copy_data->num_volumes++;
 
-		shadow_copy_data->labels = tlabels;
 		TALLOC_FREE(talloced);
 	}