Skip to content

Commit 0db0aff

Browse files
Shwetha-Acharyaanoopcs9
Shwetha-Acharya
authored and
anoopcs9
committed
s3:shadow_copy: CID 1449539 talloc_realloc and error handling
- Replace TALLOC_REALLOC with talloc_realloc inorder to handle the integer overflow better. - Rename tlabels as tmp_labels for clarity. - Use shadow_copy_data->labels directly after successful reallocation instead of relying on a temporary variable. - Ensure that shadow_copy_data->num_volumes is set to 0 and shadow_copy_data->labels is freed on error paths inorder to address the potential resource leaks. Fixes: CID_1449539 Signed-off-by: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> Autobuild-User(master): Anoop C S <anoopcs@samba.org> Autobuild-Date(master): Sat Sep 6 10:34:27 UTC 2025 on atb-devel-224
1 parent 5d1d3a8 commit 0db0aff

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

source3/modules/vfs_shadow_copy.c

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ static int shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
190190
shadow_copy_data->labels = NULL;
191191

192192
while (True) {
193-
SHADOW_COPY_LABEL *tlabels;
193+
SHADOW_COPY_LABEL *tmp_labels = NULL;
194194
int ret;
195195

196196
dname = ReadDirName(dir_hnd, &talloced);
@@ -213,27 +213,32 @@ static int shadow_copy_get_shadow_copy_data(vfs_handle_struct *handle,
213213
continue;
214214
}
215215

216-
tlabels = (SHADOW_COPY_LABEL *)TALLOC_REALLOC(shadow_copy_data,
217-
shadow_copy_data->labels,
218-
(shadow_copy_data->num_volumes+1)*sizeof(SHADOW_COPY_LABEL));
219-
if (tlabels == NULL) {
216+
tmp_labels = talloc_realloc(shadow_copy_data, shadow_copy_data->labels,
217+
SHADOW_COPY_LABEL, shadow_copy_data->num_volumes + 1);
218+
219+
if (tmp_labels == NULL) {
220220
DEBUG(0,("shadow_copy_get_shadow_copy_data: Out of memory\n"));
221+
shadow_copy_data->num_volumes = 0;
222+
TALLOC_FREE(shadow_copy_data->labels);
221223
TALLOC_FREE(talloced);
222224
TALLOC_FREE(dir_hnd);
223225
return -1;
224226
}
225227

226-
ret = strlcpy(tlabels[shadow_copy_data->num_volumes], dname,
227-
sizeof(tlabels[shadow_copy_data->num_volumes]));
228-
if (ret != sizeof(tlabels[shadow_copy_data->num_volumes]) - 1) {
228+
shadow_copy_data->labels = tmp_labels;
229+
230+
ret = strlcpy(shadow_copy_data->labels[shadow_copy_data->num_volumes], dname,
231+
sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]));
232+
if (ret != sizeof(shadow_copy_data->labels[shadow_copy_data->num_volumes]) - 1) {
229233
DBG_ERR("malformed label %s\n", dname);
234+
shadow_copy_data->num_volumes = 0;
235+
TALLOC_FREE(shadow_copy_data->labels);
230236
TALLOC_FREE(talloced);
231237
TALLOC_FREE(dir_hnd);
232238
return -1;
233239
}
234240
shadow_copy_data->num_volumes++;
235241

236-
shadow_copy_data->labels = tlabels;
237242
TALLOC_FREE(talloced);
238243
}
239244

0 commit comments

Comments
 (0)