The Samba-Bugzilla – Attachment 17984 Details for
Bug 15420
reply_sesssetup_and_X() can dereference uninitialized tmp pointer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
demo client program
smbd6c.c (text/x-csrc), 4.80 KB, created by
Robert Morris
on 2023-07-14 15:31:26 UTC
(
hide
)
Description:
demo client program
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-07-14 15:31:26 UTC
Size:
4.80 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >char *server_ip = "127.0.0.1"; >char *username = "z"; >char *password = "xxxxxxxx"; > >int s = -1; >int uid = 0; >int tid = 0; >int fid = 0; > >unsigned int header_flags = 0; >unsigned int header_flags2 = 0; > >int >header(char *buf, int command) >{ > int ii = 0; > > // SMB-over-TCP 4-byte header > buf[ii++] = 0; // must be zero > buf[ii++] = 0; // high byte of len > *(short*)(buf+ii) = htons(sizeof(buf)-4); // non-inclusive len, filled later > ii += 2; > > // 32-byte SMB header, MS-CIFS 2.2.3.1 > buf[ii++] = 0xff; > buf[ii++] = 'S'; > buf[ii++] = 'M'; > buf[ii++] = 'B'; > buf[ii++] = command; > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = header_flags; // flags > *(short*)(buf+ii) = header_flags2; // flags2 > ii += 2; > *(short*)(buf+ii) = 0; // PIDHigh > ii += 2; > ii += 8; // SecurityFeatures > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = tid; // TID > ii += 2; > *(short*)(buf+ii) = 0; // PIDLow > ii += 2; > *(short*)(buf+ii) = uid; // UID > ii += 2; > *(short*)(buf+ii) = 0; // MID > ii += 2; > > return ii; >} > >void >negotiate(const char *dialect) >{ > // SMB_COM_NEGOTIATE > // dialect should probably be "NT LM 0.12" > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x72); > > // parameter block, MS-CIFS 2.2.3.2 > int param_words = 0; > buf[ii++] = param_words; // number of 16-bit words of parameters > ii += param_words*2; > > // data block, MS-CIFS 2.2.3.3 > // SMB_COM_NEGOTIATE MS-CIFS 2.2.4.52 > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x02; // BufferFormat > memcpy(buf+ii, dialect, strlen(dialect) + 1); > ii += strlen(dialect) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); // this works > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read negotiate response, MS-CIFS 2.2.4.52.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > } >} > >void >setup() >{ > // SMB_COM_SESSION_SETUP_ANDX > // MS-CIFS 3.2.4.2.3 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x73); > > // parameter block, MS-CIFS 2.2.4.53.1 > int param_words = 13; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > buf[ii++] = 0xff; // AndXCommand (next command) 0xff means none > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > *(short*)(buf+ii) = 8192; // MaxBufferSize > ii += 2; > *(short*)(buf+ii) = 2; // MaxMpxCount > ii += 2; > *(short*)(buf+ii) = 0; // VcNumber > ii += 2; > *(int*)(buf+ii) = 0; // SessionKey, from negotiate response XXX > ii += 4; > *(short*)(buf+ii) = strlen(password); // OEMPasswordLen > ii += 2; > *(short*)(buf+ii) = 0; // UnicodePasswordLen > ii += 2; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > *(int*)(buf+ii) = 0; // Capabilities > ii += 4; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > // OEMPassword > memcpy(buf+ii, password, strlen(password)); > ii += 8; > // pad > if(ii % 1) > ii++; > int zzz = ii; > // AccountName > memcpy(buf+ii, username, strlen(username) + 1); > ii += strlen(username) + 1; > // PrimaryDomain > buf[ii++] = '\0'; > // NativeOS > buf[ii++] = '\0'; > // NativeLanMan > buf[ii++] = '\0'; > > // *(short*)(buf+bci) = ii - bci - 2; > *(short*)(buf+bci) = zzz - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read session setup response, MS-CIFS 2.2.4.53.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > uid = *(short*)(buf+32); > uid &= 0xffff; > } >} > >int >main() >{ > signal(SIGPIPE, SIG_IGN); > signal(SIGTERM, SIG_IGN); > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(445); // SMB over TCP > sin.sin_addr.s_addr = inet_addr(server_ip); > > while(1){ > s = socket(AF_INET, SOCK_STREAM, 0); > if(connect(s, (struct sockaddr *)&sin, sizeof(sin)) == 0) > break; > close(s); > sleep(1); > } > > sleep(1); > > negotiate("NT LM 0.12"); > setup(); > > close(s); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17984">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15420
: 17984 |
18042
|
18044
|
18046
|
18047