From: Tomas Hozza Date: Sat, 15 Dec 2012 04:30:03 +0000 (+1300) Subject: Fix various issues in smblib X-Git-Tag: SQUID_3_4_0_1~436 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cfe771a73d990376f0d3c3dec8d2cd11f1715dc0;p=thirdparty%2Fsquid.git Fix various issues in smblib * Crash on NTLM handshakes without domain. * Memory leak on several internal DC connection failures * Potential buffer overruns on specially crafted tokens Detected by Coverity Scan. Issues 740356, 740406, 740428, 740476, 740477, 740478 --- diff --git a/lib/smblib/smblib.c b/lib/smblib/smblib.c index 6c12433223..a83c978671 100644 --- a/lib/smblib/smblib.c +++ b/lib/smblib/smblib.c @@ -120,8 +120,10 @@ SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle, strcpy(con -> password, ""); strcpy(con -> sock_options, ""); strcpy(con -> address, ""); - strcpy(con -> desthost, server); - strcpy(con -> PDomain, NTdomain); + strncpy(con -> desthost, server, sizeof(con->desthost)); + con->desthost[sizeof(con->desthost) - 1] = '\0'; + strncpy(con -> PDomain, NTdomain, sizeof(con->PDomain)); + con->PDomain[sizeof(con->PDomain) - 1] = '\0'; strcpy(con -> OSName, SMBLIB_DEFAULT_OSNAME); strcpy(con -> LMType, SMBLIB_DEFAULT_LMTYPE); con -> first_tree = con -> last_tree = NULL; @@ -213,9 +215,12 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, /* Init some things ... */ - strcpy(con -> service, service); - strcpy(con -> username, username); - strcpy(con -> password, password); + strncpy(con -> service, service, sizeof(con -> service)); + con -> service[sizeof(con -> service) - 1] = '\0'; + strncpy(con -> username, username, sizeof(con -> username)); + con -> username[sizeof(con -> username) - 1] = '\0'; + strncpy(con -> password, password, sizeof(con -> password)); + con -> password[sizeof(con -> password) - 1] = '\0'; strcpy(con -> sock_options, ""); strcpy(con -> address, ""); strcpy(con -> PDomain, SMBLIB_DEFAULT_DOMAIN); @@ -236,8 +241,17 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, /* Now figure out the host portion of the service */ - strcpy(temp, service); + strncpy(temp, service, sizeof(temp)); + temp[sizeof(temp) - 1] = '\0'; host = strtok(temp, "/\\"); /* Separate host name portion */ + if (!host) { + if (Con_Handle == NULL) { + free(con); + Con_Handle = NULL; + } + SMBlib_errno = -SMBlibE_CallFailed; + return NULL; + } strcpy(con -> desthost, host); /* Now connect to the remote end, but first upper case the name of the @@ -280,9 +294,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, if (SMB_Negotiate(con, SMB_Prots_Restrict) < 0) { - /* Hmmm what should we do here ... We have a connection, but could not - negotiate ... */ - + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_NegNoProt; return NULL; } @@ -291,6 +306,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, if ((*tree = SMB_TreeConnect(con, NULL, service, password, "A:")) == NULL) { + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_BAD; return NULL; } @@ -325,7 +344,8 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName, pass_len = 24; memcpy(pword, PassWord, 24); } else { - strcpy(pword, PassWord); + strncpy(pword, PassWord, sizeof(pword)); + pword[sizeof(pword) - 1] = '\0'; #ifdef PAM_SMB_ENC_PASS if (Con_Handle->encrypt_passwords) { pass_len = 24; @@ -391,7 +411,7 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName, p = p + 1; - if (NtDomain != NULL) { + if (NtDomain == NULL) { strcpy(p, Con_Handle -> PDomain); p = p + strlen(Con_Handle -> PDomain); } else {