From b33b7a0aedbd29bb23eb41fea4e378b757c5c32c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 2 May 2020 14:54:01 +0200
Subject: [PATCH 1/4] libsmb: Fix indentation in cli_RNetShareEnum()

Also remove a level of indentation with a "goto done;"

Best review with "git show -b", almost no code change

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ae91d67a247424d4ddc89230f52365558d6ff402)
---
 source3/libsmb/clirap.c | 133 +++++++++++++++++++++-------------------
 1 file changed, 69 insertions(+), 64 deletions(-)

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 71c7b97ad54..8171257f6d1 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -175,6 +175,8 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t,
 	unsigned int rdrcnt,rprcnt;
 	char param[1024];
 	int count = -1;
+	bool ok;
+	int res;
 
 	/* now send a SMBtrans command with api RNetShareEnum */
 	p = param;
@@ -192,74 +194,77 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t,
 	SSVAL(p,2,0xFFE0);
 	p += 4;
 
-	if (cli_api(cli,
-		    param, PTR_DIFF(p,param), 1024,  /* Param, length, maxlen */
-		    NULL, 0, 0xFFE0,            /* data, length, maxlen - Win2k needs a small buffer here too ! */
-		    &rparam, &rprcnt,                /* return params, length */
-		    &rdata, &rdrcnt))                /* return data, length */
-		{
-			int res = rparam? SVAL(rparam,0) : -1;
-
-			if (res == 0 || res == ERRmoredata) {
-				int converter=SVAL(rparam,2);
-				int i;
-				char *rdata_end = rdata + rdrcnt;
-
-				count=SVAL(rparam,4);
-				p = rdata;
-
-				for (i=0;i<count;i++,p+=20) {
-					char *sname;
-					int type;
-					int comment_offset;
-					const char *cmnt;
-					const char *p1;
-					char *s1, *s2;
-					size_t len;
-					TALLOC_CTX *frame = talloc_stackframe();
-
-					if (p + 20 > rdata_end) {
-						TALLOC_FREE(frame);
-						break;
-					}
-
-					sname = p;
-					type = SVAL(p,14);
-					comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
-					if (comment_offset < 0 ||
-							comment_offset > (int)rdrcnt) {
-						TALLOC_FREE(frame);
-						break;
-					}
-					cmnt = comment_offset?(rdata+comment_offset):"";
-
-					/* Work out the comment length. */
-					for (p1 = cmnt, len = 0; *p1 &&
-							p1 < rdata_end; len++)
-						p1++;
-					if (!*p1) {
-						len++;
-					}
-					pull_string_talloc(frame,rdata,0,
-						&s1,sname,14,STR_ASCII);
-					pull_string_talloc(frame,rdata,0,
-						&s2,cmnt,len,STR_ASCII);
-					if (!s1 || !s2) {
-						TALLOC_FREE(frame);
-						continue;
-					}
-
-					fn(s1, type, s2, state);
+	ok = cli_api(
+		cli,
+		param, PTR_DIFF(p,param), 1024,  /* Param, length, maxlen */
+		NULL, 0, 0xFFE0,            /* data, length, maxlen - Win2k needs a small buffer here too ! */
+		&rparam, &rprcnt,                /* return params, length */
+		&rdata, &rdrcnt);                /* return data, length */
+	if (!ok) {
+		DEBUG(4,("NetShareEnum failed\n"));
+		goto done;
+	}
+
+	res = rparam? SVAL(rparam,0) : -1;
+
+	if (res == 0 || res == ERRmoredata) {
+		int converter=SVAL(rparam,2);
+		int i;
+		char *rdata_end = rdata + rdrcnt;
+
+		count=SVAL(rparam,4);
+		p = rdata;
+
+		for (i=0;i<count;i++,p+=20) {
+			char *sname;
+			int type;
+			int comment_offset;
+			const char *cmnt;
+			const char *p1;
+			char *s1, *s2;
+			size_t len;
+			TALLOC_CTX *frame = talloc_stackframe();
+
+			if (p + 20 > rdata_end) {
+				TALLOC_FREE(frame);
+				break;
+			}
 
-					TALLOC_FREE(frame);
-				}
-			} else {
-				DEBUG(4,("NetShareEnum res=%d\n", res));
+			sname = p;
+			type = SVAL(p,14);
+			comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
+			if (comment_offset < 0 ||
+			    comment_offset > (int)rdrcnt) {
+				TALLOC_FREE(frame);
+				break;
 			}
-		} else {
-			DEBUG(4,("NetShareEnum failed\n"));
+			cmnt = comment_offset?(rdata+comment_offset):"";
+
+			/* Work out the comment length. */
+			for (p1 = cmnt, len = 0; *p1 &&
+				     p1 < rdata_end; len++)
+				p1++;
+			if (!*p1) {
+				len++;
+			}
+			pull_string_talloc(frame,rdata,0,
+					   &s1,sname,14,STR_ASCII);
+			pull_string_talloc(frame,rdata,0,
+					   &s2,cmnt,len,STR_ASCII);
+			if (!s1 || !s2) {
+				TALLOC_FREE(frame);
+				continue;
+			}
+
+			fn(s1, type, s2, state);
+
+			TALLOC_FREE(frame);
 		}
+	} else {
+			DEBUG(4,("NetShareEnum res=%d\n", res));
+	}
 
+done:
 	SAFE_FREE(rparam);
 	SAFE_FREE(rdata);
 
-- 
2.20.1


From 019b1b34a453410a4965ae133401cb5d232c87f2 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 2 May 2020 14:59:07 +0200
Subject: [PATCH 2/4] libsmb: Protect cli_RNetShareEnum() against rprcnt<6

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4a9fe4efefa67d6f24efcbe29722a43fc4859fdc)
---
 source3/libsmb/clirap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 8171257f6d1..5e8b7bcecd1 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -205,6 +205,11 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t,
 		goto done;
 	}
 
+	if (rprcnt < 6) {
+		DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+		goto done;
+	}
+
 	res = rparam? SVAL(rparam,0) : -1;
 
 	if (res == 0 || res == ERRmoredata) {
-- 
2.20.1


From 22b1937488f9a1c43c48b76b706fd868b19bf8e5 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 2 May 2020 15:10:14 +0200
Subject: [PATCH 3/4] libsmb: Protect cli_RNetServerEnum against rprcnt<6

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b)
---
 source3/libsmb/clirap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 5e8b7bcecd1..b3e82440c10 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -373,6 +373,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32_t stype,
 		}
 
 		rdata_end = rdata + rdrcnt;
+
+		if (rprcnt < 6) {
+			DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+			res = -1;
+			break;
+		}
+
 		res = rparam ? SVAL(rparam,0) : -1;
 
 		if (res == 0 || res == ERRmoredata ||
-- 
2.20.1


From 4bf2e3c416cb0e33fb98b030a2292c0ef935676c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 2 May 2020 15:18:07 +0200
Subject: [PATCH 4/4] libsmb: Protect cli_oem_change_password() from rprcnt<2

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May  5 17:12:04 UTC 2020 on sn-devel-184

(cherry picked from commit f80c97cb8da64f3cd9904e2e1fd43c29b691166d)
---
 source3/libsmb/clirap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index b3e82440c10..1be331afda6 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -603,10 +603,16 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
 		return False;
 	}
 
+	if (rdrcnt < 2) {
+		cli->rap_error = ERRbadformat;
+		goto done;
+	}
+
 	if (rparam) {
 		cli->rap_error = SVAL(rparam,0);
 	}
 
+done:
 	SAFE_FREE(rparam);
 	SAFE_FREE(rdata);
 
-- 
2.20.1