From 51400c9d0e4cd82cffac680eaa25ae27f0d2b3d4 Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Thu, 4 Apr 2013 12:59:36 +0200 Subject: [PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard() --- source3/smbd/reply.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index d7b3199..65f9652 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -318,9 +318,16 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req, char **pp_dest, const char *src, int flags, NTSTATUS *err, bool *contains_wcard) { - return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, req->flags2, - pp_dest, src, smbreq_bufrem(req, src), - flags, err, contains_wcard); + ssize_t bufrem = smbreq_bufrem(req, src); + + if (bufrem < 0) { + *err = NT_STATUS_INVALID_PARAMETER; + return 0; + } + + return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, + req->flags2, pp_dest, src, bufrem, flags, + err, contains_wcard); } size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, -- 1.7.9.5 From 12b0f423469dd7e282012ba798117f83c17a76d9 Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Thu, 4 Apr 2013 13:24:36 +0200 Subject: [PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a function --- source3/include/srvstr.h | 9 --------- source3/smbd/proto.h | 2 ++ source3/smbd/reply.c | 11 +++++++++++ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/source3/include/srvstr.h b/source3/include/srvstr.h index 7e7d8a2..2c6e7ef 100644 --- a/source3/include/srvstr.h +++ b/source3/include/srvstr.h @@ -19,12 +19,3 @@ #define srvstr_pull_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \ pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) - -/* pull a string from the smb_buf part of a packet. In this case the - string can either be null terminated or it can be terminated by the - end of the smbbuf area -*/ - -#define srvstr_pull_req_talloc(ctx, req_, dest, src, flags) \ - pull_string_talloc(ctx, req_->inbuf, req_->flags2, dest, src, \ - smbreq_bufrem(req_, src), flags) diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 35ae8a2..319e20e 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -826,6 +826,8 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req, size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, char **pp_dest, const char *src, int flags, NTSTATUS *err); +size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, + char **dest, const char *src, int flags); bool check_fsp_open(connection_struct *conn, struct smb_request *req, files_struct *fsp); bool check_fsp(connection_struct *conn, struct smb_request *req, diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 65f9652..3717f36 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -339,6 +339,17 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, flags, err, &ignore); } +/* pull a string from the smb_buf part of a packet. In this case the + string can either be null terminated or it can be terminated by the + end of the smbbuf area +*/ +size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, + char **dest, const char *src, int flags) +{ + return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src, + smbreq_bufrem(req, src), flags); +} + /**************************************************************************** Check if we have a correct fsp pointing to a file. Basic check for open fsp. ****************************************************************************/ -- 1.7.9.5 From 3ec22f9a2e1b9cdb04badb059a7296caaefd2e9b Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Thu, 4 Apr 2013 13:29:01 +0200 Subject: [PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc() --- source3/smbd/reply.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 3717f36..c815a5a 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -346,8 +346,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, char **dest, const char *src, int flags) { + ssize_t bufrem = smbreq_bufrem(req, src); + + if (bufrem < 0) { + return 0; + } + return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src, - smbreq_bufrem(req, src), flags); + bufrem, flags); } /**************************************************************************** -- 1.7.9.5