git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 744abc8)
libsmb: Fix CID 242665 Out-of-bounds access
authorVolker Lendecke <vl@samba.org>
Mon, 11 Nov 2013 20:37:48 +0000 (20:37 +0000)
committerAndreas Schneider <asn@samba.org>
Wed, 13 Nov 2013 08:01:55 +0000 (09:01 +0100)
Coverity is confused by the dual-use of "pss" as an array of size 1. This
is not strictly a bug here, but it is admittedly a small subtlety. It
should fix a whole bunch of Coverity issues. Normally I would resist to
change our code in response to a deficient static checker, but here I
would vote for this compromise.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
source3/libsmb/cliconnect.c patch | blob | history

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 81bc028b26ed69439b6018bae7007ac333b70bfe..3c9d03a07678d38dcacded75e70e32d22fb4d41c 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2870,6 +2870,7 @@ static struct tevent_req *cli_connect_sock_send(
        struct tevent_req *req, *subreq;
        struct cli_connect_sock_state *state;
        const char *prog;
+       struct sockaddr_storage *addrs;
        unsigned i, num_addrs;
        NTSTATUS status;
 
@@ -2893,7 +2894,6 @@ static struct tevent_req *cli_connect_sock_send(
        }
 
        if ((pss == NULL) || is_zero_addr(pss)) {
-               struct sockaddr_storage *addrs;
 
                /*
                 * Here we cheat. resolve_name_list is not async at all. So
@@ -2907,8 +2907,12 @@ static struct tevent_req *cli_connect_sock_send(
                        tevent_req_nterror(req, status);
                        return tevent_req_post(req, ev);
                }
-               pss = addrs;
        } else {
+               addrs = talloc_array(state, struct sockaddr_storage, 1);
+               if (tevent_req_nomem(addrs, req)) {
+                       return tevent_req_post(req, ev);
+               }
+               addrs[0] = *pss;
                num_addrs = 1;
        }
 
@@ -2931,7 +2935,7 @@ static struct tevent_req *cli_connect_sock_send(
        }
 
        subreq = smbsock_any_connect_send(
-               state, ev, pss, state->called_names, state->called_types,
+               state, ev, addrs, state->called_names, state->called_types,
                state->calling_names, NULL, num_addrs, port);
        if (tevent_req_nomem(subreq, req)) {
                return tevent_req_post(req, ev);
Work in progress branches