From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2024 09:25:32 +0000 (+0200)
Subject: s3:modules: Make nread a size_t and check for possible overflow
X-Git-Tag: tdb-1.4.11~125
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f3da16937aecca2d8b8ddc8e37f1e9386c0f3367;p=thirdparty%2Fsamba.git

s3:modules: Make nread a size_t and check for possible overflow

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: tainted_data_return: Called function ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: assign: Assigning: ""thistime"" = ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"".
samba-4.20.0rc2/source3/modules/vfs_preopen.c:221: overflow: The expression ""nread"" is considered to have possibly overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow: The expression ""talloc_get_size(namebuf) - nread"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow_sink: ""talloc_get_size(namebuf) - nread"", which might have underflowed, is passed to ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  213|   		ssize_t thistime;
  214|
  215|-> 		thistime = read(sock_fd, namebuf + nread,
  216|   				talloc_get_size(namebuf) - nread);
  217|   		if (thistime <= 0) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source3/modules/vfs_preopen.c b/source3/modules/vfs_preopen.c
index 1e571569192..aa37158cf20 100644
--- a/source3/modules/vfs_preopen.c
+++ b/source3/modules/vfs_preopen.c
@@ -203,13 +203,11 @@ static bool preopen_helper_open_one(int sock_fd, char **pnamebuf,
 				    size_t to_read, void *filebuf)
 {
 	char *namebuf = *pnamebuf;
-	ssize_t nread;
+	size_t nread = 0;
 	ssize_t chunk;
 	char c = 0;
 	int fd;
 
-	nread = 0;
-
 	do {
 		chunk = read(sock_fd, namebuf + nread,
 				talloc_get_size(namebuf) - nread);
@@ -217,6 +215,9 @@ static bool preopen_helper_open_one(int sock_fd, char **pnamebuf,
 			return false;
 		}
 
+		if (nread + chunk < nread) {
+			return false;
+		}
 		nread += chunk;
 
 		if (nread == talloc_get_size(namebuf)) {