From: Tomas Hozza Date: Mon, 28 Jan 2013 04:27:32 +0000 (-0700) Subject: Fix various issues in smblib X-Git-Tag: SQUID_3_2_7~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=529aff0adbf41465ad269011329bb17d7b09bb2b;p=thirdparty%2Fsquid.git Fix various issues in smblib * Crash on NTLM handshakes without domain. * Memory leak on several internal DC connection failures * Potential buffer overruns on specially crafted tokens Detected by Coverity Scan. Issues 740356, 740406, 740428, 740476, 740477, 740478 --- diff --git a/lib/smblib/smblib.c b/lib/smblib/smblib.c index d32406a5e9..aa95b5e614 100644 --- a/lib/smblib/smblib.c +++ b/lib/smblib/smblib.c @@ -122,8 +122,10 @@ SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle, strcpy(con -> password, ""); strcpy(con -> sock_options, ""); strcpy(con -> address, ""); - strcpy(con -> desthost, server); - strcpy(con -> PDomain, NTdomain); + strncpy(con -> desthost, server, sizeof(con->desthost)); + con->desthost[sizeof(con->desthost) - 1] = '\0'; + strncpy(con -> PDomain, NTdomain, sizeof(con->PDomain)); + con->PDomain[sizeof(con->PDomain) - 1] = '\0'; strcpy(con -> OSName, SMBLIB_DEFAULT_OSNAME); strcpy(con -> LMType, SMBLIB_DEFAULT_LMTYPE); con -> first_tree = con -> last_tree = NULL; @@ -216,9 +218,12 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, /* Init some things ... */ - strcpy(con -> service, service); - strcpy(con -> username, username); - strcpy(con -> password, password); + strncpy(con -> service, service, sizeof(con -> service)); + con -> service[sizeof(con -> service) - 1] = '\0'; + strncpy(con -> username, username, sizeof(con -> username)); + con -> username[sizeof(con -> username) - 1] = '\0'; + strncpy(con -> password, password, sizeof(con -> password)); + con -> password[sizeof(con -> password) - 1] = '\0'; strcpy(con -> sock_options, ""); strcpy(con -> address, ""); strcpy(con -> PDomain, SMBLIB_DEFAULT_DOMAIN); @@ -239,8 +244,17 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, /* Now figure out the host portion of the service */ - strcpy(temp, service); + strncpy(temp, service, sizeof(temp)); + temp[sizeof(temp) - 1] = '\0'; host = strtok(temp, "/\\"); /* Separate host name portion */ + if (!host) { + if (Con_Handle == NULL) { + free(con); + Con_Handle = NULL; + } + SMBlib_errno = -SMBlibE_CallFailed; + return NULL; + } strcpy(con -> desthost, host); /* Now connect to the remote end, but first upper case the name of the @@ -283,9 +297,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, if (SMB_Negotiate(con, SMB_Prots_Restrict) < 0) { - /* Hmmm what should we do here ... We have a connection, but could not - negotiate ... */ - + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_NegNoProt; return NULL; } @@ -294,6 +309,10 @@ SMB_Handle_Type SMB_Connect(SMB_Handle_Type Con_Handle, if ((*tree = SMB_TreeConnect(con, NULL, service, password, "A:")) == NULL) { + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_BAD; return NULL; } @@ -328,7 +347,8 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName, pass_len = 24; memcpy(pword, PassWord, 24); } else { - strcpy(pword, PassWord); + strncpy(pword, PassWord, sizeof(pword)); + pword[sizeof(pword) - 1] = '\0'; #ifdef PAM_SMB_ENC_PASS if (Con_Handle->encrypt_passwords) { pass_len = 24; @@ -394,7 +414,7 @@ int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName, p = p + 1; - if (NtDomain != NULL) { + if (NtDomain == NULL) { strcpy(p, Con_Handle -> PDomain); p = p + strlen(Con_Handle -> PDomain); } else {