------------------------------------------------------------ revno: 12429 revision-id: squid3@treenet.co.nz-20121230073040-xqcllwj2bsao11nd parent: squid3@treenet.co.nz-20121227023528-5t3r7jea1lh525v0 author: Tomas Hozza committer: Amos Jeffries branch nick: 3.3 timestamp: Sun 2012-12-30 00:30:40 -0700 message: Fix various issues in smblib * Crash on NTLM handshakes without domain. * Memory leak on several internal DC connection failures * Potential buffer overruns on specially crafted tokens Detected by Coverity Scan. Issues 740356, 740406, 740428, 740476, 740477, 740478 ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20121230073040-xqcllwj2bsao11nd # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: ae10cf2e672595d6d9b0f4c741c310def5e59e3e # timestamp: 2012-12-30 07:53:57 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20121227023528-\ # 5t3r7jea1lh525v0 # # Begin patch === modified file 'lib/smblib/smblib.c' --- lib/smblib/smblib.c 2012-08-28 13:00:30 +0000 +++ lib/smblib/smblib.c 2012-12-30 07:30:40 +0000 @@ -120,8 +120,10 @@ strcpy(con -> password, ""); strcpy(con -> sock_options, ""); strcpy(con -> address, ""); - strcpy(con -> desthost, server); - strcpy(con -> PDomain, NTdomain); + strncpy(con -> desthost, server, sizeof(con->desthost)); + con->desthost[sizeof(con->desthost) - 1] = '\0'; + strncpy(con -> PDomain, NTdomain, sizeof(con->PDomain)); + con->PDomain[sizeof(con->PDomain) - 1] = '\0'; strcpy(con -> OSName, SMBLIB_DEFAULT_OSNAME); strcpy(con -> LMType, SMBLIB_DEFAULT_LMTYPE); con -> first_tree = con -> last_tree = NULL; @@ -213,9 +215,12 @@ /* Init some things ... */ - strcpy(con -> service, service); - strcpy(con -> username, username); - strcpy(con -> password, password); + strncpy(con -> service, service, sizeof(con -> service)); + con -> service[sizeof(con -> service) - 1] = '\0'; + strncpy(con -> username, username, sizeof(con -> username)); + con -> username[sizeof(con -> username) - 1] = '\0'; + strncpy(con -> password, password, sizeof(con -> password)); + con -> password[sizeof(con -> password) - 1] = '\0'; strcpy(con -> sock_options, ""); strcpy(con -> address, ""); strcpy(con -> PDomain, SMBLIB_DEFAULT_DOMAIN); @@ -236,8 +241,17 @@ /* Now figure out the host portion of the service */ - strcpy(temp, service); + strncpy(temp, service, sizeof(temp)); + temp[sizeof(temp) - 1] = '\0'; host = strtok(temp, "/\\"); /* Separate host name portion */ + if (!host) { + if (Con_Handle == NULL) { + free(con); + Con_Handle = NULL; + } + SMBlib_errno = -SMBlibE_CallFailed; + return NULL; + } strcpy(con -> desthost, host); /* Now connect to the remote end, but first upper case the name of the @@ -280,9 +294,10 @@ if (SMB_Negotiate(con, SMB_Prots_Restrict) < 0) { - /* Hmmm what should we do here ... We have a connection, but could not - negotiate ... */ - + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_NegNoProt; return NULL; } @@ -291,6 +306,10 @@ if ((*tree = SMB_TreeConnect(con, NULL, service, password, "A:")) == NULL) { + if (Con_Handle == NULL) { + free(con); + } + SMBlib_errno = -SMBlibE_BAD; return NULL; } @@ -325,7 +344,8 @@ pass_len = 24; memcpy(pword, PassWord, 24); } else { - strcpy(pword, PassWord); + strncpy(pword, PassWord, sizeof(pword)); + pword[sizeof(pword) - 1] = '\0'; #ifdef PAM_SMB_ENC_PASS if (Con_Handle->encrypt_passwords) { pass_len = 24; @@ -391,7 +411,7 @@ p = p + 1; - if (NtDomain != NULL) { + if (NtDomain == NULL) { strcpy(p, Con_Handle -> PDomain); p = p + strlen(Con_Handle -> PDomain); } else {