]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
s3:smbd/utmp: fix potential negative index in ut_id_encode
authorDaniil Sarafannikov <sarafannikovda@sgu.ru>
Mon, 22 Jun 2026 18:05:30 +0000 (22:05 +0400)
committerVolker Lendecke <vl@samba.org>
Tue, 30 Jun 2026 12:35:36 +0000 (12:35 +0000)
session_global_id is a uint32_t, but ut_id_encode() takes int.
In case session ID is larger than INT_MAX, the conversion may
lead to negative value and after modulo operation `i % nbase`
it may be negative.

Change the argument type to unsigned int and update all
callers (sys_utmp_fill, sys_utmp_claim, sys_utmp_yield) to
use uint32_t.

Pair-Programmed-With: Dina Tagantseva <dinchik@altlinux.org>
Signed-off-by: Daniil Sarafannikov <sarafannikovda@sgu.ru>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
source3/smbd/proto.h
source3/smbd/session.c
source3/smbd/utmp.c

index f0c5ea821988edaa1666e77f20ecfafb4ccd1636..02492817dad726bd06dc2bfffa88cc95f7d5d2d8 100644 (file)
@@ -1138,9 +1138,9 @@ const struct security_token *get_current_nttok(connection_struct *conn);
 /* The following definitions come from smbd/utmp.c  */
 
 void sys_utmp_claim(const char *username, const char *hostname,
-                   const char *id_str, int id_num);
+                   const char *id_str, uint32_t id_num);
 void sys_utmp_yield(const char *username, const char *hostname,
-                   const char *id_str, int id_num);
+                   const char *id_str, uint32_t id_num);
 
 /* The following definitions come from smbd/vfs.c  */
 
index abc799105f00c29170b2f3b4a5b6b3a60ae8d737..51fb782fff46be5679de48c4e1f8a440e5ee0449 100644 (file)
@@ -46,7 +46,7 @@ bool session_claim(struct smbXsrv_session *session)
                session->global->auth_session_info;
        const char *username;
        const char *hostname;
-       unsigned int id_num;
+       uint32_t id_num;
        fstring id_str;
 
        /* don't register sessions for the guest user - its just too
@@ -57,7 +57,7 @@ bool session_claim(struct smbXsrv_session *session)
 
        id_num = session->global->session_global_id;
 
-       snprintf(id_str, sizeof(id_str), "smb/%u", id_num);
+       snprintf(id_str, sizeof(id_str), "smb/%"PRIu32, id_num);
 
        /* Make clear that we require the optional unix_token in the source3 code */
        SMB_ASSERT(session_info->unix_token);
@@ -88,12 +88,12 @@ void session_yield(struct smbXsrv_session *session)
                session->global->auth_session_info;
        const char *username;
        const char *hostname;
-       unsigned int id_num;
+       uint32_t id_num;
        fstring id_str = "";
 
        id_num = session->global->session_global_id;
 
-       snprintf(id_str, sizeof(id_str), "smb/%u", id_num);
+       snprintf(id_str, sizeof(id_str), "smb/%"PRIu32, id_num);
 
        /* Make clear that we require the optional unix_token in the source3 code */
        SMB_ASSERT(session_info->unix_token);
index 4327301e3b15fc744b9c1da8bb964dc54ee9e483..c229bee31d45152af6fd90a9b02e71763f1a7565 100644 (file)
@@ -115,11 +115,11 @@ Notes:
  */
 
 void sys_utmp_claim(const char *username, const char *hostname,
-                   const char *id_str, int id_num)
+                   const char *id_str, uint32_t id_num)
 {}
 
 void sys_utmp_yield(const char *username, const char *hostname,
-                   const char *id_str, int id_num)
+                   const char *id_str, uint32_t id_num)
 {}
 
 #else /* WITH_UTMP */
@@ -467,9 +467,9 @@ static void sys_utmp_update(struct utmp *u, const char *hostname, bool claim)
  Encode the unique connection number into "ut_id".
 ****************************************************************************/
 
-static int ut_id_encode(int i, char *fourbyte)
+static int ut_id_encode(uint32_t i, char *fourbyte)
 {
-       int nbase;
+       size_t nbase;
        const char *ut_id_encstr = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
 
 /*
@@ -498,7 +498,7 @@ static int ut_id_encode(int i, char *fourbyte)
 */
 static bool sys_utmp_fill(struct utmp *u,
                        const char *username, const char *hostname,
-                       const char *id_str, int id_num)
+                       const char *id_str, uint32_t id_num)
 {
        struct timeval timeval;
 
@@ -546,7 +546,7 @@ static bool sys_utmp_fill(struct utmp *u,
 
 #if defined(HAVE_UT_UT_ID)
        if (ut_id_encode(id_num, u->ut_id) != 0) {
-               DEBUG(1,("utmp_fill: cannot encode id %d\n", id_num));
+               DEBUG(1,("utmp_fill: cannot encode id %"PRIu32"\n", id_num));
                return False;
        }
 #endif
@@ -559,7 +559,7 @@ static bool sys_utmp_fill(struct utmp *u,
 ****************************************************************************/
 
 void sys_utmp_yield(const char *username, const char *hostname,
-                   const char *id_str, int id_num)
+                   const char *id_str, uint32_t id_num)
 {
        struct utmp u;
 
@@ -585,7 +585,7 @@ void sys_utmp_yield(const char *username, const char *hostname,
 ****************************************************************************/
 
 void sys_utmp_claim(const char *username, const char *hostname,
-                   const char *id_str, int id_num)
+                   const char *id_str, uint32_t id_num)
 {
        struct utmp u;