From: Daniil Sarafannikov Date: Mon, 22 Jun 2026 18:05:30 +0000 (+0400) Subject: s3:smbd/utmp: fix potential negative index in ut_id_encode X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c092553a86c5b46bb8ee3228b54e39bb6229353;p=thirdparty%2Fsamba.git s3:smbd/utmp: fix potential negative index in ut_id_encode session_global_id is a uint32_t, but ut_id_encode() takes int. In case session ID is larger than INT_MAX, the conversion may lead to negative value and after modulo operation `i % nbase` it may be negative. Change the argument type to unsigned int and update all callers (sys_utmp_fill, sys_utmp_claim, sys_utmp_yield) to use uint32_t. Pair-Programmed-With: Dina Tagantseva Signed-off-by: Daniil Sarafannikov Reviewed-by: Anoop C S Reviewed-by: Volker Lendecke --- diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index f0c5ea82198..02492817dad 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -1138,9 +1138,9 @@ const struct security_token *get_current_nttok(connection_struct *conn); /* The following definitions come from smbd/utmp.c */ void sys_utmp_claim(const char *username, const char *hostname, - const char *id_str, int id_num); + const char *id_str, uint32_t id_num); void sys_utmp_yield(const char *username, const char *hostname, - const char *id_str, int id_num); + const char *id_str, uint32_t id_num); /* The following definitions come from smbd/vfs.c */ diff --git a/source3/smbd/session.c b/source3/smbd/session.c index abc799105f0..51fb782fff4 100644 --- a/source3/smbd/session.c +++ b/source3/smbd/session.c @@ -46,7 +46,7 @@ bool session_claim(struct smbXsrv_session *session) session->global->auth_session_info; const char *username; const char *hostname; - unsigned int id_num; + uint32_t id_num; fstring id_str; /* don't register sessions for the guest user - its just too @@ -57,7 +57,7 @@ bool session_claim(struct smbXsrv_session *session) id_num = session->global->session_global_id; - snprintf(id_str, sizeof(id_str), "smb/%u", id_num); + snprintf(id_str, sizeof(id_str), "smb/%"PRIu32, id_num); /* Make clear that we require the optional unix_token in the source3 code */ SMB_ASSERT(session_info->unix_token); @@ -88,12 +88,12 @@ void session_yield(struct smbXsrv_session *session) session->global->auth_session_info; const char *username; const char *hostname; - unsigned int id_num; + uint32_t id_num; fstring id_str = ""; id_num = session->global->session_global_id; - snprintf(id_str, sizeof(id_str), "smb/%u", id_num); + snprintf(id_str, sizeof(id_str), "smb/%"PRIu32, id_num); /* Make clear that we require the optional unix_token in the source3 code */ SMB_ASSERT(session_info->unix_token); diff --git a/source3/smbd/utmp.c b/source3/smbd/utmp.c index 4327301e3b1..c229bee31d4 100644 --- a/source3/smbd/utmp.c +++ b/source3/smbd/utmp.c @@ -115,11 +115,11 @@ Notes: */ void sys_utmp_claim(const char *username, const char *hostname, - const char *id_str, int id_num) + const char *id_str, uint32_t id_num) {} void sys_utmp_yield(const char *username, const char *hostname, - const char *id_str, int id_num) + const char *id_str, uint32_t id_num) {} #else /* WITH_UTMP */ @@ -467,9 +467,9 @@ static void sys_utmp_update(struct utmp *u, const char *hostname, bool claim) Encode the unique connection number into "ut_id". ****************************************************************************/ -static int ut_id_encode(int i, char *fourbyte) +static int ut_id_encode(uint32_t i, char *fourbyte) { - int nbase; + size_t nbase; const char *ut_id_encstr = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; /* @@ -498,7 +498,7 @@ static int ut_id_encode(int i, char *fourbyte) */ static bool sys_utmp_fill(struct utmp *u, const char *username, const char *hostname, - const char *id_str, int id_num) + const char *id_str, uint32_t id_num) { struct timeval timeval; @@ -546,7 +546,7 @@ static bool sys_utmp_fill(struct utmp *u, #if defined(HAVE_UT_UT_ID) if (ut_id_encode(id_num, u->ut_id) != 0) { - DEBUG(1,("utmp_fill: cannot encode id %d\n", id_num)); + DEBUG(1,("utmp_fill: cannot encode id %"PRIu32"\n", id_num)); return False; } #endif @@ -559,7 +559,7 @@ static bool sys_utmp_fill(struct utmp *u, ****************************************************************************/ void sys_utmp_yield(const char *username, const char *hostname, - const char *id_str, int id_num) + const char *id_str, uint32_t id_num) { struct utmp u; @@ -585,7 +585,7 @@ void sys_utmp_yield(const char *username, const char *hostname, ****************************************************************************/ void sys_utmp_claim(const char *username, const char *hostname, - const char *id_str, int id_num) + const char *id_str, uint32_t id_num) { struct utmp u;