}
/* the list of currently registered AUTH backends */
-static struct {
+static struct auth_backend {
const struct auth_operations *ops;
} *backends = NULL;
static int num_backends;
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- backends = Realloc(backends, sizeof(backends[0]) * (num_backends+1));
+
+ backends = realloc_p(backends, struct auth_backend, num_backends+1);
if (!backends) {
smb_panic("out of memory in auth_register");
}
return -1;
}
}
- entry = (struct file_list *) malloc(sizeof (struct file_list));
+ entry = malloc_p(struct file_list);
if (!entry) {
d_printf("Out of memory in file_find\n");
closedir(dir);
struct tree_data *make_tree_data(guint32 type, const char *name)
{
- struct tree_data *p = (struct tree_data *)malloc(sizeof(struct tree_data));
+ struct tree_data *p = malloc_p(struct tree_data);
if (p) {
}
return True;
}
+
+/*
+ realloc an array, checking for integer overflow in the array size
+*/
+void *realloc_array(void *ptr, size_t el_size, unsigned count)
+{
+#define MAX_MALLOC_SIZE 0x7fffffff
+ if (count == 0 ||
+ count >= MAX_MALLOC_SIZE/el_size) {
+ return NULL;
+ }
+ if (!ptr) {
+ return malloc(el_size * count);
+ }
+ return realloc(ptr, el_size * count);
+}
+
*num_values = ldap_count_values(values);
- ret = talloc(mem_ctx, sizeof(char *) * (*num_values+1));
+ ret = talloc_array_p(mem_ctx, char *, *num_values+1);
if (!ret) {
ldap_value_free(values);
return NULL;
for (i=0; values[i]; i++)
/* nop */ ;
- (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
+ (*sids) = talloc_array_p(mem_ctx, DOM_SID, i);
if (!(*sids)) {
ldap_value_free_len(values);
return 0;
(msg->type == LDAP_TAG_UnbindRequest))
return True;
- entry = malloc(sizeof(*entry));
+ entry = malloc_p(struct ldap_queue_entry);
if (entry == NULL)
return False;
static void add_search_entry(struct ldap_connection *conn,
struct ldap_message *msg)
{
- struct ldap_queue_entry *e = malloc(sizeof *e);
+ struct ldap_queue_entry *e = malloc_p(struct ldap_queue_entry);
if (e == NULL)
return;
if (*num_names == 0) return NULL;
- ret = (struct node_status *)malloc(sizeof(struct node_status)* (*num_names));
+ ret = malloc_array_p(struct node_status, *num_names);
if (!ret) return NULL;
p++;
if (((hp = sys_gethostbyname(name)) != NULL) && (hp->h_addr != NULL)) {
struct ipv4_addr return_ip;
putip((char *)&return_ip,(char *)hp->h_addr);
- *return_iplist = (struct ipv4_addr *)malloc(sizeof(struct ipv4_addr));
+ *return_iplist = malloc_p(struct ipv4_addr);
if(*return_iplist == NULL) {
DEBUG(3,("resolve_hosts: malloc fail !\n"));
return False;
DEBUG(10, ("internal_resolve_name: looking up %s#%x\n", name, name_type));
if (allzeros || allones || is_address) {
- *return_iplist = (struct ipv4_addr *)malloc(sizeof(struct ipv4_addr));
+ *return_iplist = malloc_p(struct ipv4_addr);
if(*return_iplist == NULL) {
DEBUG(3,("internal_resolve_name: malloc fail !\n"));
return False;
controllers including the PDC in iplist[1..n]. Iterating over
the iplist when the PDC is down will cause two sets of timeouts. */
- if (*return_count && (nodupes_iplist = (struct ipv4_addr *)
- malloc(sizeof(struct ipv4_addr) * (*return_count)))) {
+ if (*return_count && (nodupes_iplist = malloc_array_p(struct ipv4_addr, *return_count))) {
int nodupes_count = 0;
/* Iterate over return_iplist looking for duplicates */
if ( (num_addresses == 0) && !done_auto_lookup )
return internal_resolve_name(mem_ctx, domain, 0x1C, ip_list, count);
- return_iplist = (struct ipv4_addr *)malloc(num_addresses * sizeof(struct ipv4_addr));
+ return_iplist = malloc_array_p(struct ipv4_addr, num_addresses);
if (return_iplist == NULL) {
DEBUG(3,("get_dc_list: malloc fail !\n"));
if (nmb->answers)
{
- if((copy_nmb->answers = (struct res_rec *)
- malloc(nmb->header.ancount * sizeof(struct res_rec))) == NULL)
+ if((copy_nmb->answers = malloc_array_p(struct res_rec, nmb->header.ancount)) == NULL)
goto free_and_exit;
memcpy((char *)copy_nmb->answers, (char *)nmb->answers,
nmb->header.ancount * sizeof(struct res_rec));
}
if (nmb->nsrecs)
{
- if((copy_nmb->nsrecs = (struct res_rec *)
- malloc(nmb->header.nscount * sizeof(struct res_rec))) == NULL)
+ if((copy_nmb->nsrecs = malloc_array_p(struct res_rec, nmb->header.nscount)) == NULL)
goto free_and_exit;
memcpy((char *)copy_nmb->nsrecs, (char *)nmb->nsrecs,
nmb->header.nscount * sizeof(struct res_rec));
}
if (nmb->additional)
{
- if((copy_nmb->additional = (struct res_rec *)
- malloc(nmb->header.arcount * sizeof(struct res_rec))) == NULL)
+ if((copy_nmb->additional = malloc_array_p(struct res_rec, nmb->header.arcount)) == NULL)
goto free_and_exit;
memcpy((char *)copy_nmb->additional, (char *)nmb->additional,
nmb->header.arcount * sizeof(struct res_rec));
{
struct packet_struct *pkt_copy;
- if(( pkt_copy = (struct packet_struct *)malloc(sizeof(*packet))) == NULL)
+ if(( pkt_copy = malloc_p(struct packet_struct)) == NULL)
{
DEBUG(0,("copy_dgram_packet: malloc fail.\n"));
return NULL;
struct packet_struct *p;
BOOL ok=False;
- p = (struct packet_struct *)malloc(sizeof(*p));
+ p = malloc_p(struct packet_struct);
if (!p) return(NULL);
p->next = NULL;
typedef [public] struct {
uint16 revision;
[value(ndr_size_security_acl(r))] uint16 size;
- uint32 num_aces;
+ [range(0,1000)] uint32 num_aces;
security_ace aces[num_aces];
} security_acl;
{
struct ndr_push *ndr;
- ndr = talloc(mem_ctx, sizeof(*ndr));
+ ndr = talloc_p(mem_ctx, struct ndr_push);
if (!ndr) {
return NULL;
}
}
}
- p->security_state.auth_info = talloc(p, sizeof(*p->security_state.auth_info));
+ p->security_state.auth_info = talloc_p(p, struct dcerpc_auth);
if (!p->security_state.auth_info) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
}
- p->security_state.auth_info = talloc(p, sizeof(*p->security_state.auth_info));
+ p->security_state.auth_info = talloc_p(p, struct dcerpc_auth);
if (!p->security_state.auth_info) {
status = NT_STATUS_NO_MEMORY;
goto done;
struct odb_context *odb = lck->odb;
TDB_DATA dbuf;
struct odb_entry e;
- char *tp;
int i, count;
struct odb_entry *elist;
}
}
- tp = Realloc(dbuf.dptr, (count+1) * sizeof(struct odb_entry));
- if (tp == NULL) {
+ elist = realloc_p(dbuf.dptr, struct odb_entry, count+1);
+ if (elist == NULL) {
if (dbuf.dptr) free(dbuf.dptr);
return NT_STATUS_NO_MEMORY;
}
- dbuf.dptr = tp;
+ dbuf.dptr = (char *)elist;
dbuf.dsize = (count+1) * sizeof(struct odb_entry);
memcpy(dbuf.dptr + (count*sizeof(struct odb_entry)),
struct odb_context *odb = lck->odb;
TDB_DATA dbuf;
struct odb_entry e;
- char *tp;
struct odb_entry *elist;
int count;
elist = (struct odb_entry *)dbuf.dptr;
count = dbuf.dsize / sizeof(struct odb_entry);
- tp = Realloc(dbuf.dptr, (count+1) * sizeof(struct odb_entry));
- if (tp == NULL) {
+ elist = realloc_p(dbuf.dptr, struct odb_entry, count+1);
+ if (elist == NULL) {
if (dbuf.dptr) free(dbuf.dptr);
return NT_STATUS_NO_MEMORY;
}
- dbuf.dptr = tp;
+ dbuf.dptr = (char *)elist;
dbuf.dsize = (count+1) * sizeof(struct odb_entry);
memcpy(dbuf.dptr + (count*sizeof(struct odb_entry)),
/* the list of currently registered NTVFS backends, note that there
* can be more than one backend with the same name, as long as they
* have different typesx */
-static struct {
+static struct ntvfs_backend {
const struct ntvfs_ops *ops;
} *backends = NULL;
static int num_backends;
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- backends = Realloc(backends, sizeof(backends[0]) * (num_backends+1));
+ backends = realloc_p(backends, struct ntvfs_backend, num_backends+1);
if (!backends) {
smb_panic("out of memory in ntvfs_register");
}
int lvl = in_client?1:0;
myFILE *ret;
- ret = (myFILE *)malloc(sizeof(*ret));
+ ret = malloc_p(myFILE);
if (!ret) return NULL;
ret->buf = file_load(FileName, &ret->size);
/* the list of currently registered DCERPC endpoint servers.
*/
-static struct {
+static struct ep_server {
struct dcesrv_endpoint_server *ep_server;
} *ep_servers = NULL;
static int num_ep_servers;
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- ep_servers = Realloc(ep_servers, sizeof(ep_servers[0]) * (num_ep_servers+1));
+ ep_servers = realloc_p(ep_servers, struct ep_server, num_ep_servers+1);
if (!ep_servers) {
smb_panic("out of memory in dcerpc_register");
}
struct spoolss_PrinterInfo1 *info;
int i;
- info = talloc(mem_ctx, num_msgs * sizeof(struct spoolss_PrinterInfo1));
+ info = talloc_array_p(mem_ctx, struct spoolss_PrinterInfo1, num_msgs);
if (!info)
return WERR_NOMEM;
struct spoolss_PrinterInfo2 *info;
int i;
- info = talloc(mem_ctx, num_msgs * sizeof(struct spoolss_PrinterInfo1));
+ info = talloc_array_p(mem_ctx, struct spoolss_PrinterInfo2, num_msgs);
if (!info)
return WERR_NOMEM;
struct spoolss_PrinterInfo5 *info;
int i;
- info = talloc(mem_ctx, num_msgs * sizeof(struct spoolss_PrinterInfo1));
+ info = talloc_array_p(mem_ctx, struct spoolss_PrinterInfo5, num_msgs);
if (!info)
return WERR_NOMEM;
if (r->out.ctr.ctr0->count == 0) break;
- r->out.ctr.ctr0->array = talloc(mem_ctx, r->out.ctr.ctr0->count*sizeof(struct srvsvc_NetShareInfo0));
+ r->out.ctr.ctr0->array = talloc_array_p(mem_ctx,
+ struct srvsvc_NetShareInfo0,
+ r->out.ctr.ctr0->count);
WERR_TALLOC_CHECK(r->out.ctr.ctr0->array);
for (i=0;i<r->out.ctr.ctr0->count;i++) {
if (r->out.ctr.ctr1->count == 0) break;
- r->out.ctr.ctr1->array = talloc(mem_ctx, r->out.ctr.ctr1->count*sizeof(struct srvsvc_NetShareInfo1));
+ r->out.ctr.ctr1->array = talloc_array_p(mem_ctx,
+ struct srvsvc_NetShareInfo1,
+ r->out.ctr.ctr1->count);
WERR_TALLOC_CHECK(r->out.ctr.ctr1->array);
for (i=0;i<r->out.ctr.ctr1->count;i++) {
if (r->out.ctr.ctr2->count == 0) break;
- r->out.ctr.ctr2->array = talloc(mem_ctx, r->out.ctr.ctr2->count*sizeof(struct srvsvc_NetShareInfo2));
+ r->out.ctr.ctr2->array = talloc_array_p(mem_ctx,
+ struct srvsvc_NetShareInfo2,
+ r->out.ctr.ctr2->count);
WERR_TALLOC_CHECK(r->out.ctr.ctr2->array);
for (i=0;i<r->out.ctr.ctr2->count;i++) {
if (r->out.ctr.ctr501->count == 0) break;
- r->out.ctr.ctr501->array = talloc(mem_ctx, r->out.ctr.ctr501->count*sizeof(struct srvsvc_NetShareInfo501));
+ r->out.ctr.ctr501->array = talloc_array_p(mem_ctx,
+ struct srvsvc_NetShareInfo501,
+ r->out.ctr.ctr501->count);
WERR_TALLOC_CHECK(r->out.ctr.ctr501->array);
for (i=0;i<r->out.ctr.ctr501->count;i++) {
if (r->out.ctr.ctr502->count == 0) break;
- r->out.ctr.ctr502->array = talloc(mem_ctx, r->out.ctr.ctr502->count*sizeof(struct srvsvc_NetShareInfo502));
+ r->out.ctr.ctr502->array = talloc_array_p(mem_ctx,
+ struct srvsvc_NetShareInfo502,
+ r->out.ctr.ctr502->count);
WERR_TALLOC_CHECK(r->out.ctr.ctr502->array);
for (i=0;i<r->out.ctr.ctr502->count;i++) {
ZERO_STRUCT(fnum);
ZERO_STRUCT(cli);
- recorded = (struct record *)malloc(sizeof(*recorded) * numops);
+ recorded = malloc_array_p(struct record, numops);
for (n=0; n<numops; n++) {
#if PRESETS
ZERO_STRUCT(fnum);
ZERO_STRUCT(cli);
- recorded = (struct record *)malloc(sizeof(*recorded) * numops);
+ recorded = malloc_array_p(struct record, numops);
for (n=0; n<numops; n++) {
recorded[n].conn = random() % NCONNECTIONS;
int i;
NSS_STATUS status;
- groups = (gid_t *)malloc(size * sizeof(gid_t));
+ groups = (gid_t *)malloc_array_p(gid_t, size);
groups[0] = gid;
status = nss_initgroups(name, gid, &groups, &start, &size);
sids.count = 0;
sids.sids = NULL;
- names = talloc(mem_ctx, tnames->count * sizeof(names[0]));
+ names = talloc_array_p(mem_ctx, struct lsa_String, tnames->count);
for (i=0;i<tnames->count;i++) {
init_lsa_String(&names[i], tnames->names[i].name.string);
}
sids.count = 0;
sids.sids = NULL;
- names = talloc(mem_ctx, tnames->count * sizeof(names[0]));
+ names = talloc_array_p(mem_ctx, struct lsa_String, tnames->count);
for (i=0;i<tnames->count;i++) {
init_lsa_String(&names[i], tnames->names[i].name.string);
}
printf("Testing LookupNames\n");
n.in.domain_handle = handle;
n.in.num_names = r.out.sam->count;
- n.in.names = talloc(mem_ctx, r.out.sam->count * sizeof(struct samr_String));
+ n.in.names = talloc_array_p(mem_ctx, struct samr_String, r.out.sam->count);
for (i=0;i<r.out.sam->count;i++) {
n.in.names[i] = r.out.sam->entries[i].name;
}
printf("Testing LookupRids\n");
lr.in.domain_handle = handle;
lr.in.num_rids = r.out.sam->count;
- lr.in.rids = talloc(mem_ctx, r.out.sam->count * sizeof(uint32_t));
+ lr.in.rids = talloc_array_p(mem_ctx, uint32_t, r.out.sam->count);
for (i=0;i<r.out.sam->count;i++) {
lr.in.rids[i] = r.out.sam->entries[i].idx;
}
printf("Opening %d connections\n", torture_numops);
- cli = malloc(sizeof(struct smbcli_state *) * torture_numops);
+ cli = malloc_array_p(struct smbcli_state *, torture_numops);
for (i=0;i<torture_numops;i++) {
if (!torture_open_connection(&cli[i])) {