pynbt: catch type errors in PyObject_AsNBTName()

This fixes some known segfaults.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/nbt/pynbt.c b/libcli/nbt/pynbt.c
index 032561a4bd8a7b062526aa5344576d5913478f52..ccd7a039248dd3388bd10388722ec109576bb57d 100644 (file)
--- a/libcli/nbt/pynbt.c
+++ b/libcli/nbt/pynbt.c
@@ -97,13 +97,28 @@ static bool PyObject_AsNBTName(PyObject *obj, struct nbt_name_socket *name_socke
        if (PyTuple_Check(obj)) {
                if (PyTuple_Size(obj) == 2) {
                        name->name = PyStr_AsString(PyTuple_GetItem(obj, 0));
+                       if (name->name == NULL) {
+                               goto err;
+                       }
                        name->type = PyInt_AsLong(PyTuple_GetItem(obj, 1));
+                       if (name->type == -1 && PyErr_Occurred()) {
+                               goto err;
+                       }
                        name->scope = NULL;
                        return true;
                } else if (PyTuple_Size(obj) == 3) {
                        name->name = PyStr_AsString(PyTuple_GetItem(obj, 0));
+                       if (name->name == NULL) {
+                               goto err;
+                       }
                        name->scope = PyStr_AsString(PyTuple_GetItem(obj, 1));
+                       if (name->scope == NULL) {
+                               goto err;
+                       }
                        name->type = PyInt_AsLong(PyTuple_GetItem(obj, 2));
+                       if (name->type == -1 && PyErr_Occurred()) {
+                               goto err;
+                       }
                        return true;
                } else {
                        PyErr_SetString(PyExc_TypeError, "Invalid tuple size");
@@ -114,11 +129,14 @@ static bool PyObject_AsNBTName(PyObject *obj, struct nbt_name_socket *name_socke
        if (PyStr_Check(obj) || PyUnicode_Check(obj)) {
                /* FIXME: Parse string to be able to interpret things like RHONWYN<02> ? */
                name->name = PyStr_AsString(obj);
+               if (name->name == NULL) {
+                       goto err;
+               }
                name->scope = NULL;
                name->type = 0;
                return true;
        }
-
+err:
        PyErr_SetString(PyExc_TypeError, "Invalid type for object");
        return false;
 }

diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
index b1938cd170269c97949ee96113d7e2b095025c30..c4f83f36a122033ecfd4565797b37db0eea6b241 100644 (file)
--- a/selftest/knownfail.d/python-segfaults
+++ b/selftest/knownfail.d/python-segfaults
@@ -5,4 +5,3 @@ samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_hive_open_ldb
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_chunk_1
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__1
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
-samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_netbios_query_name