------------------------------------------------------------ revno: 11748 revision-id: squid3@treenet.co.nz-20130128042732-511lvfmjk733z9bw parent: squid3@treenet.co.nz-20130125095954-rntdd7747wh31q76 author: Tomas Hozza committer: Amos Jeffries branch nick: 3.2 timestamp: Sun 2013-01-27 21:27:32 -0700 message: Fix various issues in smblib * Crash on NTLM handshakes without domain. * Memory leak on several internal DC connection failures * Potential buffer overruns on specially crafted tokens Detected by Coverity Scan. Issues 740356, 740406, 740428, 740476, 740477, 740478 ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130128042732-511lvfmjk733z9bw # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_2 # testament_sha1: e38e4fe94918ed60870e64193f9864b1647501c6 # timestamp: 2013-01-28 04:35:41 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_2 # base_revision_id: squid3@treenet.co.nz-20130125095954-\ # rntdd7747wh31q76 # # Begin patch === modified file 'lib/smblib/smblib.c' --- lib/smblib/smblib.c 2012-02-05 06:09:46 +0000 +++ lib/smblib/smblib.c 2013-01-28 04:27:32 +0000 @@ -122,8 +122,10 @@ strcpy(con -> password, ""); strcpy(con -> sock_options, ""); strcpy(con -> address, ""); - strcpy(con -> desthost, server); - strcpy(con -> PDomain, NTdomain); + strncpy(con -> desthost, server, sizeof(con->desthost)); + con->desthost[sizeof(con->desthost) - 1] = '\0'; + strncpy(con -> PDomain, NTdomain, sizeof(con->PDomain)); + con->PDomain[sizeof(con->PDomain) - 1] = '\0'; strcpy(con -> OSName, SMBLIB_DEFAULT_OSNAME); strcpy(con -> LMType, SMBLIB_DEFAULT_LMTYPE); con -> first_tree = con -> last_tree = NULL; @@ -216,9 +218,12 @@ /* Init some things ... */ - strcpy(con -> service, service); - strcpy(con -> username, username); - strcpy(con -> password, password); + strncpy(con -> service, service, sizeof(con -> service)); + con -> service[sizeof(con -> service) - 1] = '\0'; + strncpy(con -> username, username, sizeof(con -> username)); + con -> username[sizeof(con -> username) - 1] = '\0'; + strncpy(con -> password, password, sizeof(con -> password)); + con -> password[sizeof(con -> password) - 1] = '\0'; strcpy(con -> sock_options, ""); strcpy(con -> address, ""); strcpy(con -> PDomain, SMBLIB_DEFAULT_DOMAIN); @@ -239,8 +244,17 @@ /* Now figure out the host portion of the service */ - strcpy(temp, service); + strncpy(temp, service, sizeof(temp)); + temp[sizeof(temp) - 1] = '\0'; host = strtok(temp, "/\\"); /* Separate host name portion */ + if (!host) { + if (Con_Handle == NULL) { + free(con); + Con_Handle = NULL; + } + SMBlib_errno = -SMBlibE_CallFailed; + return NULL; + } strcpy(con -> desthost, host); /* Now connect to the remote end, but first upper case the name of the @@ -283,9 +297,10 @@ if (SMB_Negotiate(con, SMB_Prots_Restrict) < 0) { - /* Hmmm what should we do here ... We have a connection, but could not - negotiate ... */ - + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_NegNoProt; return NULL; } @@ -294,6 +309,10 @@ if ((*tree = SMB_TreeConnect(con, NULL, service, password, "A:")) == NULL) { + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_BAD; return NULL; } @@ -328,7 +347,8 @@ pass_len = 24; memcpy(pword, PassWord, 24); } else { - strcpy(pword, PassWord); + strncpy(pword, PassWord, sizeof(pword)); + pword[sizeof(pword) - 1] = '\0'; #ifdef PAM_SMB_ENC_PASS if (Con_Handle->encrypt_passwords) { pass_len = 24; @@ -394,7 +414,7 @@ p = p + 1; - if (NtDomain != NULL) { + if (NtDomain == NULL) { strcpy(p, Con_Handle -> PDomain); p = p + strlen(Con_Handle -> PDomain); } else {