Added package vgp, vgp is a daemon working like Cisco(c) HSRP
[openwrt.git] / package / samba / patches / 200-security.patch
1 diff -ur samba-2.0.10/source/include/smb.h samba-2.0.10-security/source/include/smb.h
2 --- samba-2.0.10/source/include/smb.h 2001-06-23 12:52:20.000000000 +0400
3 +++ samba-2.0.10-security/source/include/smb.h 2005-05-21 21:51:17.206995728 +0400
4 @@ -256,6 +256,7 @@
5 #define ERRlock 33 /* Lock request conflicts with existing lock */
6 #define ERRunsup 50 /* Request unsupported, returned by Win 95, RJS 20Jun98 */
7 #define ERRfilexists 80 /* File in operation already exists */
8 +#define ERRinvalidparam 87
9 #define ERRcannotopen 110 /* Cannot open the file specified */
10 #define ERRunknownlevel 124
11 #define ERRrename 183
12 @@ -1893,4 +1894,7 @@
13
14 #define SAFE_NETBIOS_CHARS ". -_"
15
16 +#ifndef SAFE_FREE
17 +#define SAFE_FREE(x) do { if ((x) != NULL) {free((x)); (x)=NULL;} } while(0)
18 +#endif
19 #endif /* _SMB_H */
20 diff -ur samba-2.0.10/source/include/version.h samba-2.0.10-security/source/include/version.h
21 --- samba-2.0.10/source/include/version.h 2001-06-23 17:23:59.000000000 +0400
22 +++ samba-2.0.10-security/source/include/version.h 2005-05-21 21:51:17.227992536 +0400
23 @@ -1 +1 @@
24 -#define VERSION "2.0.10"
25 +#define VERSION "2.0.10-security-rollup"
26 diff -ur samba-2.0.10/source/smbd/filename.c samba-2.0.10-security/source/smbd/filename.c
27 --- samba-2.0.10/source/smbd/filename.c 2000-03-17 01:59:44.000000000 +0300
28 +++ samba-2.0.10-security/source/smbd/filename.c 2005-05-21 21:51:17.403965784 +0400
29 @@ -172,7 +172,7 @@
30 * StrnCpy always null terminates.
31 */
32
33 - StrnCpy(orig_name, full_orig_name, namelen);
34 + StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
35 if(!case_sensitive)
36 strupper( orig_name );
37
38 diff -ur samba-2.0.10/source/smbd/ipc.c samba-2.0.10-security/source/smbd/ipc.c
39 --- samba-2.0.10/source/smbd/ipc.c 2000-03-30 02:20:06.000000000 +0400
40 +++ samba-2.0.10-security/source/smbd/ipc.c 2005-05-21 21:51:17.269986152 +0400
41 @@ -3550,18 +3550,18 @@
42 uint16 *setup=NULL;
43 int outsize = 0;
44 uint16 vuid = SVAL(inbuf,smb_uid);
45 - int tpscnt = SVAL(inbuf,smb_vwv0);
46 - int tdscnt = SVAL(inbuf,smb_vwv1);
47 - int mprcnt = SVAL(inbuf,smb_vwv2);
48 - int mdrcnt = SVAL(inbuf,smb_vwv3);
49 - int msrcnt = CVAL(inbuf,smb_vwv4);
50 + unsigned int tpscnt = SVAL(inbuf,smb_vwv0);
51 + unsigned int tdscnt = SVAL(inbuf,smb_vwv1);
52 + unsigned int mprcnt = SVAL(inbuf,smb_vwv2);
53 + unsigned int mdrcnt = SVAL(inbuf,smb_vwv3);
54 + unsigned int msrcnt = CVAL(inbuf,smb_vwv4);
55 BOOL close_on_completion = BITSETW(inbuf+smb_vwv5,0);
56 BOOL one_way = BITSETW(inbuf+smb_vwv5,1);
57 - int pscnt = SVAL(inbuf,smb_vwv9);
58 - int psoff = SVAL(inbuf,smb_vwv10);
59 - int dscnt = SVAL(inbuf,smb_vwv11);
60 - int dsoff = SVAL(inbuf,smb_vwv12);
61 - int suwcnt = CVAL(inbuf,smb_vwv13);
62 + unsigned int pscnt = SVAL(inbuf,smb_vwv9);
63 + unsigned int psoff = SVAL(inbuf,smb_vwv10);
64 + unsigned int dscnt = SVAL(inbuf,smb_vwv11);
65 + unsigned int dsoff = SVAL(inbuf,smb_vwv12);
66 + unsigned int suwcnt = CVAL(inbuf,smb_vwv13);
67
68 memset(name, '\0',sizeof(name));
69 fstrcpy(name,smb_buf(inbuf));
70 @@ -3572,31 +3572,48 @@
71
72 if (tdscnt) {
73 if((data = (char *)malloc(tdscnt)) == NULL) {
74 - DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
75 + DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
76 return(ERROR(ERRDOS,ERRnomem));
77 }
78 + if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
79 + goto bad_param;
80 + if (smb_base(inbuf)+dsoff+dscnt > inbuf + size)
81 + goto bad_param;
82 +
83 memcpy(data,smb_base(inbuf)+dsoff,dscnt);
84 }
85
86 if (tpscnt) {
87 if((params = (char *)malloc(tpscnt)) == NULL) {
88 - DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
89 + DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
90 + SAFE_FREE(data);
91 return(ERROR(ERRDOS,ERRnomem));
92 }
93 + if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
94 + goto bad_param;
95 + if (smb_base(inbuf)+psoff+pscnt > inbuf + size)
96 + goto bad_param;
97 +
98 memcpy(params,smb_base(inbuf)+psoff,pscnt);
99 }
100
101 if (suwcnt) {
102 int i;
103 if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
104 - DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16))));
105 - return(ERROR(ERRDOS,ERRnomem));
106 - }
107 + DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
108 + SAFE_FREE(data);
109 + SAFE_FREE(params);
110 + return(ERROR(ERRDOS,ERRnomem));
111 + }
112 + if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size)
113 + goto bad_param;
114 + if ((smb_vwv14+(suwcnt*SIZEOFWORD) < smb_vwv14) || (smb_vwv14+(suwcnt*SIZEOFWORD) < (suwcnt*SIZEOFWORD)))
115 + goto bad_param;
116 +
117 for (i=0;i<suwcnt;i++)
118 setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD);
119 }
120
121 -
122 if (pscnt < tpscnt || dscnt < tdscnt) {
123 /* We need to send an interim response then receive the rest
124 of the parameter/data bytes */
125 @@ -3608,7 +3625,7 @@
126 /* receive the rest of the trans packet */
127 while (pscnt < tpscnt || dscnt < tdscnt) {
128 BOOL ret;
129 - int pcnt,poff,dcnt,doff,pdisp,ddisp;
130 + unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
131
132 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
133
134 @@ -3619,19 +3636,19 @@
135 DEBUG(0,("reply_trans: %s in getting secondary trans response.\n",
136 (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
137 }
138 - if (params)
139 - free(params);
140 - if (data)
141 - free(data);
142 - if (setup)
143 - free(setup);
144 + SAFE_FREE(params);
145 + SAFE_FREE(data);
146 + SAFE_FREE(setup);
147 return(ERROR(ERRSRV,ERRerror));
148 }
149
150 show_msg(inbuf);
151
152 - tpscnt = SVAL(inbuf,smb_vwv0);
153 - tdscnt = SVAL(inbuf,smb_vwv1);
154 + /* Revise total_params and total_data in case they have changed downwards */
155 + if (SVAL(inbuf,smb_vwv0) < tpscnt)
156 + tpscnt = SVAL(inbuf,smb_vwv0);
157 + if (SVAL(inbuf,smb_vwv1) < tdscnt)
158 + tdscnt = SVAL(inbuf,smb_vwv1);
159
160 pcnt = SVAL(inbuf,smb_vwv2);
161 poff = SVAL(inbuf,smb_vwv3);
162 @@ -3644,17 +3661,36 @@
163 pscnt += pcnt;
164 dscnt += dcnt;
165
166 - if (dscnt > tdscnt || pscnt > tpscnt) {
167 - exit_server("invalid trans parameters\n");
168 - }
169 + if (dscnt > tdscnt || pscnt > tpscnt)
170 + goto bad_param;
171
172 - if (pcnt)
173 + if (pcnt) {
174 + if (pdisp+pcnt >= tpscnt)
175 + goto bad_param;
176 + if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
177 + goto bad_param;
178 + if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize)
179 + goto bad_param;
180 + if (params + pdisp < params)
181 + goto bad_param;
182 +
183 memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt);
184 - if (dcnt)
185 + }
186 +
187 + if (dcnt) {
188 + if (ddisp+dcnt >= tdscnt)
189 + goto bad_param;
190 + if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
191 + goto bad_param;
192 + if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize)
193 + goto bad_param;
194 + if (data + ddisp < data)
195 + goto bad_param;
196 +
197 memcpy(data+ddisp,smb_base(inbuf)+doff,dcnt);
198 + }
199 }
200 -
201 -
202 +
203 DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n",
204 name,tdscnt,tpscnt,suwcnt));
205
206 @@ -3694,4 +3730,12 @@
207 return(ERROR(ERRSRV,ERRnosupport));
208
209 return(outsize);
210 +
211 + bad_param:
212 +
213 + DEBUG(0,("reply_trans: invalid trans parameters\n"));
214 + SAFE_FREE(data);
215 + SAFE_FREE(params);
216 + SAFE_FREE(setup);
217 + return(ERROR(ERRSRV,ERRerror));
218 }
219 diff -ur samba-2.0.10/source/smbd/nttrans.c samba-2.0.10-security/source/smbd/nttrans.c
220 --- samba-2.0.10/source/smbd/nttrans.c 2000-04-24 21:27:30.000000000 +0400
221 +++ samba-2.0.10-security/source/smbd/nttrans.c 2005-05-21 21:51:17.314979312 +0400
222 @@ -2575,11 +2575,14 @@
223 params = (char *)malloc(total_parameter_count);
224 if (total_data_count > 0)
225 data = (char *)malloc(total_data_count);
226 -
227 +
228 if ((total_parameter_count && !params) || (total_data_count && !data) ||
229 (setup_count && !setup)) {
230 + SAFE_FREE(setup);
231 + SAFE_FREE(params);
232 + SAFE_FREE(data);
233 DEBUG(0,("reply_nttrans : Out of memory\n"));
234 - return(ERROR(ERRDOS,ERRnomem));
235 + return ERROR(ERRDOS,ERRnomem);
236 }
237
238 /* Copy the param and data bytes sent with this request into
239 @@ -2588,64 +2591,112 @@
240 num_data_sofar = data_count;
241
242 if (parameter_count > total_parameter_count || data_count > total_data_count)
243 - exit_server("reply_nttrans: invalid sizes in packet.\n");
244 + goto bad_param;
245
246 if(setup) {
247 - memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);
248 DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count));
249 - dump_data(10, setup, setup_count);
250 + if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) ||
251 + (smb_nt_SetupStart + setup_count < setup_count))
252 + goto bad_param;
253 + if (smb_nt_SetupStart + setup_count > length)
254 + goto bad_param;
255 +
256 + memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);
257 }
258 if(params) {
259 - memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
260 DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count));
261 - dump_data(10, params, parameter_count);
262 + if ((parameter_offset + parameter_count < parameter_offset) ||
263 + (parameter_offset + parameter_count < parameter_count))
264 + goto bad_param;
265 + if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)
266 + goto bad_param;
267 +
268 + memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
269 }
270 if(data) {
271 - memcpy( data, smb_base(inbuf) + data_offset, data_count);
272 DEBUG(10,("reply_nttrans: data_count = %d\n",data_count));
273 - dump_data(10, data, data_count);
274 + if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count))
275 + goto bad_param;
276 + if (smb_base(inbuf) + data_offset + data_count > inbuf + length)
277 + goto bad_param;
278 +
279 + memcpy( data, smb_base(inbuf) + data_offset, data_count);
280 +
281 }
282
283 if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
284 /* We need to send an interim response then receive the rest
285 of the parameter/data bytes */
286 outsize = set_message(outbuf,0,0,True);
287 - send_smb(Client,outbuf);
288 + if (!send_smb(Client,outbuf))
289 + exit_server("reply_nttrans: send_smb failed.");
290
291 while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
292 BOOL ret;
293 -
294 + uint32 parameter_displacement;
295 + uint32 data_displacement;
296 +
297 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
298 -
299 +
300 if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) {
301 - outsize = set_message(outbuf,0,0,True);
302 - if(ret) {
303 - DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n"));
304 - } else {
305 - DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n",
306 - (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
307 + outsize = set_message(outbuf,0,0,True);
308 + if(ret) {
309 + DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n"));
310 + } else {
311 + DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n",
312 + (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
313 }
314 - if(params)
315 - free(params);
316 - if(data)
317 - free(data);
318 - if(setup)
319 - free(setup);
320 - return(ERROR(ERRSRV,ERRerror));
321 + goto bad_param;
322 }
323
324 /* Revise total_params and total_data in case they have changed downwards */
325 - total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
326 - total_data_count = IVAL(inbuf, smb_nts_TotalDataCount);
327 - num_params_sofar += (parameter_count = IVAL(inbuf,smb_nts_ParameterCount));
328 - num_data_sofar += ( data_count = IVAL(inbuf, smb_nts_DataCount));
329 - if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count)
330 - exit_server("reply_nttrans2: data overflow in secondary nttrans packet\n");
331 -
332 - memcpy( &params[ IVAL(inbuf, smb_nts_ParameterDisplacement)],
333 - smb_base(inbuf) + IVAL(inbuf, smb_nts_ParameterOffset), parameter_count);
334 - memcpy( &data[IVAL(inbuf, smb_nts_DataDisplacement)],
335 - smb_base(inbuf)+ IVAL(inbuf, smb_nts_DataOffset), data_count);
336 + if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count)
337 + total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
338 + if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count)
339 + total_data_count = IVAL(inbuf, smb_nts_TotalDataCount);
340 +
341 + parameter_count = IVAL(inbuf,smb_nts_ParameterCount);
342 + parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset);
343 + parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement);
344 + num_params_sofar += parameter_count;
345 +
346 + data_count = IVAL(inbuf, smb_nts_DataCount);
347 + data_displacement = IVAL(inbuf, smb_nts_DataDisplacement);
348 + data_offset = IVAL(inbuf, smb_nts_DataOffset);
349 + num_data_sofar += data_count;
350 +
351 + if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) {
352 + DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet"));
353 + goto bad_param;
354 + }
355 +
356 + if (parameter_count) {
357 + if (parameter_displacement + parameter_count >= total_parameter_count)
358 + goto bad_param;
359 + if ((parameter_displacement + parameter_count < parameter_displacement) ||
360 + (parameter_displacement + parameter_count < parameter_count))
361 + goto bad_param;
362 + if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize)
363 + goto bad_param;
364 + if (params + parameter_displacement < params)
365 + goto bad_param;
366 +
367 + memcpy( &params[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count);
368 + }
369 +
370 + if (data_count) {
371 + if (data_displacement + data_count >= total_data_count)
372 + goto bad_param;
373 + if ((data_displacement + data_count < data_displacement) ||
374 + (data_displacement + data_count < data_count))
375 + goto bad_param;
376 + if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize)
377 + goto bad_param;
378 + if (data + data_displacement < data)
379 + goto bad_param;
380 +
381 + memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count);
382 + }
383 }
384 }
385
386 @@ -2714,4 +2765,10 @@
387 return outsize; /* If a correct response was needed the call_nt_transact_xxxx
388 calls have already sent it. If outsize != -1 then it is
389 returning an error packet. */
390 + bad_param:
391 +
392 + SAFE_FREE(params);
393 + SAFE_FREE(data);
394 + SAFE_FREE(setup);
395 + return ERROR(ERRDOS,ERRinvalidparam);
396 }
397 diff -ur samba-2.0.10/source/smbd/password.c samba-2.0.10-security/source/smbd/password.c
398 --- samba-2.0.10/source/smbd/password.c 2000-03-17 01:59:48.000000000 +0300
399 +++ samba-2.0.10-security/source/smbd/password.c 2005-05-21 21:51:17.336975968 +0400
400 @@ -770,7 +770,7 @@
401 if (!ok && lp_username(snum)) {
402 char *auser;
403 pstring user_list;
404 - StrnCpy(user_list,lp_username(snum),sizeof(pstring));
405 + StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
406
407 pstring_sub(user_list,"%S",lp_servicename(snum));
408
409 diff -ur samba-2.0.10/source/smbd/reply.c samba-2.0.10-security/source/smbd/reply.c
410 --- samba-2.0.10/source/smbd/reply.c 2001-06-23 12:51:24.000000000 +0400
411 +++ samba-2.0.10-security/source/smbd/reply.c 2005-05-21 21:51:17.378969584 +0400
412 @@ -1413,6 +1413,9 @@
413
414 for (i=numentries;(i<maxentries) && !finished;i++)
415 {
416 + /* check to make sure we have room in the buffer */
417 + if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
418 + break;
419 finished =
420 !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
421 if (!finished)
422 @@ -3122,6 +3125,9 @@
423
424
425 for (i=first;i<first+num_to_get;i++) {
426 + /* check to make sure we have room in the buffer */
427 + if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
428 + break;
429 put_dos_date2(p,0,queue[i].time);
430 CVAL(p,4) = (queue[i].status==LPQ_PRINTING?2:3);
431 SSVAL(p,5,printjob_encode(SNUM(conn),
432 diff -ur samba-2.0.10/source/smbd/trans2.c samba-2.0.10-security/source/smbd/trans2.c
433 --- samba-2.0.10/source/smbd/trans2.c 2000-04-24 21:27:31.000000000 +0400
434 +++ samba-2.0.10-security/source/smbd/trans2.c 2005-05-21 21:51:17.402965936 +0400
435 @@ -201,7 +201,6 @@
436 int16 open_ofun = SVAL(params,12);
437 int32 open_size = IVAL(params,14);
438 char *pname = &params[28];
439 - int16 namelen = strlen(pname)+1;
440
441 pstring fname;
442 mode_t unixmode;
443 @@ -213,7 +212,7 @@
444 BOOL bad_path = False;
445 files_struct *fsp;
446
447 - StrnCpy(fname,pname,namelen);
448 + pstrcpy(fname,pname);
449
450 DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
451 fname,open_mode, open_attr, open_ofun, open_size));
452 @@ -2185,7 +2184,7 @@
453 unsigned int suwcnt = SVAL(inbuf, smb_suwcnt);
454 unsigned int tran_call = SVAL(inbuf, smb_setup0);
455 char *params = NULL, *data = NULL;
456 - int num_params, num_params_sofar, num_data, num_data_sofar;
457 + unsigned int num_params, num_params_sofar, num_data, num_data_sofar;
458
459 if(global_oplock_break && (tran_call == TRANSACT2_OPEN)) {
460 /* Queue this open message as we are the process of an
461 @@ -2203,8 +2202,9 @@
462 /* All trans2 messages we handle have smb_sucnt == 1 - ensure this
463 is so as a sanity check */
464 if (suwcnt != 1) {
465 - DEBUG(2,("Invalid smb_sucnt in trans2 call\n"));
466 - return(ERROR(ERRSRV,ERRerror));
467 + DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",suwcnt));
468 + DEBUG(2,("Transaction is %d\n",tran_call));
469 + ERROR(ERRDOS,ERRinvalidparam);
470 }
471
472 /* Allocate the space for the maximum needed parameters and data */
473 @@ -2215,11 +2215,9 @@
474
475 if ((total_params && !params) || (total_data && !data)) {
476 DEBUG(2,("Out of memory in reply_trans2\n"));
477 - if(params)
478 - free(params);
479 - if(data)
480 - free(data);
481 - return(ERROR(ERRDOS,ERRnomem));
482 + SAFE_FREE(params);
483 + SAFE_FREE(data);
484 + return ERROR(ERRDOS,ERRnomem);
485 }
486
487 /* Copy the param and data bytes sent with this request into
488 @@ -2230,20 +2228,37 @@
489 if (num_params > total_params || num_data > total_data)
490 exit_server("invalid params in reply_trans2");
491
492 - if(params)
493 - memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params);
494 - if(data)
495 - memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data);
496 + if(params) {
497 + unsigned int psoff = SVAL(inbuf, smb_psoff);
498 + if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
499 + goto bad_param;
500 + if (smb_base(inbuf) + psoff + num_params > inbuf + length)
501 + goto bad_param;
502 + memcpy( params, smb_base(inbuf) + psoff, num_params);
503 + }
504 + if(data) {
505 + unsigned int dsoff = SVAL(inbuf, smb_dsoff);
506 + if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
507 + goto bad_param;
508 + if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
509 + goto bad_param;
510 + memcpy( data, smb_base(inbuf) + dsoff, num_data);
511 + }
512
513 if(num_data_sofar < total_data || num_params_sofar < total_params) {
514 /* We need to send an interim response then receive the rest
515 of the parameter/data bytes */
516 outsize = set_message(outbuf,0,0,True);
517 - send_smb(Client,outbuf);
518 + if (!send_smb(Client,outbuf))
519 + exit_server("reply_trans2: send_smb failed.");
520
521 while (num_data_sofar < total_data ||
522 num_params_sofar < total_params) {
523 BOOL ret;
524 + unsigned int param_disp;
525 + unsigned int param_off;
526 + unsigned int data_disp;
527 + unsigned int data_off;
528
529 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
530
531 @@ -2255,26 +2270,55 @@
532 else
533 DEBUG(0,("reply_trans2: %s in getting secondary trans2 response.\n",
534 (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
535 - if(params)
536 - free(params);
537 - if(data)
538 - free(data);
539 - return(ERROR(ERRSRV,ERRerror));
540 + goto bad_param;
541 }
542
543 /* Revise total_params and total_data in case
544 they have changed downwards */
545 - total_params = SVAL(inbuf, smb_tpscnt);
546 - total_data = SVAL(inbuf, smb_tdscnt);
547 - num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt));
548 - num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt));
549 + if (SVAL(inbuf, smb_tpscnt) < total_params)
550 + total_params = SVAL(inbuf, smb_tpscnt);
551 + if (SVAL(inbuf, smb_tdscnt) < total_data)
552 + total_data = SVAL(inbuf, smb_tdscnt);
553 +
554 + num_params = SVAL(inbuf,smb_spscnt);
555 + param_off = SVAL(inbuf, smb_spsoff);
556 + param_disp = SVAL(inbuf, smb_spsdisp);
557 + num_params_sofar += num_params;
558 +
559 + num_data = SVAL(inbuf, smb_sdscnt);
560 + data_off = SVAL(inbuf, smb_sdsoff);
561 + data_disp = SVAL(inbuf, smb_sdsdisp);
562 + num_data_sofar += num_data;
563 +
564 if (num_params_sofar > total_params || num_data_sofar > total_data)
565 - exit_server("data overflow in trans2");
566 + goto bad_param;
567
568 - memcpy( &params[ SVAL(inbuf, smb_spsdisp)],
569 - smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params);
570 - memcpy( &data[SVAL(inbuf, smb_sdsdisp)],
571 - smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data);
572 + if (num_params) {
573 + if (param_disp + num_params >= total_params)
574 + goto bad_param;
575 + if ((param_disp + num_params < param_disp) ||
576 + (param_disp + num_params < num_params))
577 + goto bad_param;
578 + if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
579 + goto bad_param;
580 + if (params + param_disp < params)
581 + goto bad_param;
582 +
583 + memcpy( &params[param_disp], smb_base(inbuf) + param_off, num_params);
584 + }
585 + if (num_data) {
586 + if (data_disp + num_data >= total_data)
587 + goto bad_param;
588 + if ((data_disp + num_data < data_disp) ||
589 + (data_disp + num_data < num_data))
590 + goto bad_param;
591 + if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
592 + goto bad_param;
593 + if (data + data_disp < data)
594 + goto bad_param;
595 +
596 + memcpy( &data[data_disp], smb_base(inbuf) + data_off, num_data);
597 + }
598 }
599 }
600
601 @@ -2367,4 +2411,10 @@
602 return outsize; /* If a correct response was needed the
603 call_trans2xxx calls have already sent
604 it. If outsize != -1 then it is returning */
605 +
606 + bad_param:
607 +
608 + SAFE_FREE(params);
609 + SAFE_FREE(data);
610 + return (ERROR(ERRDOS,ERRinvalidparam));
611 }
This page took 0.063016 seconds and 5 git commands to generate.