diff options
| author | Volker Lendecke <vl@samba.org> | 2018-10-09 13:51:46 +0200 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2018-10-17 19:22:19 +0200 |
| commit | 34fe8b1ac6a79680fcbb34e9fcad2869d66d88e6 (patch) | |
| tree | 93dcee96340bf246f69fdb52b5c7d56eabe0e5fe /source3/lib/gencache.c | |
| parent | 6007c444d946ed7eb7572fed02e448c61f86a394 (diff) | |
| download | samba-34fe8b1ac6a79680fcbb34e9fcad2869d66d88e6.tar.gz | |
gencache: Make gencache_pull_timeout a bit more robust
The previous version assumed a well-formed "val", we just handed it to
strtol without properly checking that it contains the delimiter. So
strtol could well run off the end of "val" in case of data corruption.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/lib/gencache.c')
| -rw-r--r-- | source3/lib/gencache.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c index f18d0426d81..d72aa9505af 100644 --- a/source3/lib/gencache.c +++ b/source3/lib/gencache.c @@ -408,19 +408,24 @@ bool gencache_del(const char *keystr) return result; } -static bool gencache_pull_timeout(uint8_t *val, time_t *pres, char **payload) +static bool gencache_pull_timeout(TDB_DATA data, time_t *pres, char **payload) { time_t res; + char *slash = NULL; char *endptr; - if (val == NULL) { + if (data.dptr == NULL) { + return false; + } + slash = memchr(data.dptr, '/', data.dsize); + if (slash == NULL) { return false; } - res = strtol((char *)val, &endptr, 10); + res = strtol((char *)data.dptr, &endptr, 10); if ((endptr == NULL) || (*endptr != '/')) { - DEBUG(2, ("Invalid gencache data format: %s\n", (char *)val)); + DBG_WARNING("Invalid gencache data format\n"); return false; } if (pres != NULL) { @@ -451,7 +456,7 @@ static int gencache_parse_fn(TDB_DATA key, TDB_DATA data, void *private_data) if (data.dptr == NULL) { return -1; } - ret = gencache_pull_timeout(data.dptr, &t.timeout, &payload); + ret = gencache_pull_timeout(data, &t.timeout, &payload); if (!ret) { return -1; } @@ -716,7 +721,7 @@ static int stabilize_fn(struct tdb_context *tdb, TDB_DATA key, TDB_DATA val, return 0; } - if (!gencache_pull_timeout(val.dptr, &timeout, NULL)) { + if (!gencache_pull_timeout(val, &timeout, NULL)) { DEBUG(10, ("Ignoring invalid entry\n")); return 0; } @@ -841,7 +846,7 @@ static int gencache_iterate_blobs_fn(struct tdb_context *tdb, TDB_DATA key, } } - if (!gencache_pull_timeout(data.dptr, &timeout, &payload)) { + if (!gencache_pull_timeout(data, &timeout, &payload)) { goto done; } |