source:
freewrt/package/samba/patches/200-security.patch@
428f140
| Last change on this file since 428f140 was 475ad56, checked in by , 20 years ago | |
|---|---|
|
|
| File size: 21.1 KB | |
-
source/include/smb.h
diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h
old new 272 272 #define ERRlock 33 /* Lock request conflicts with existing lock */ 273 273 #define ERRunsup 50 /* Request unsupported, returned by Win 95, RJS 20Jun98 */ 274 274 #define ERRfilexists 80 /* File in operation already exists */ 275 #define ERRinvalidparam 87 275 276 #define ERRcannotopen 110 /* Cannot open the file specified */ 276 277 #define ERRunknownlevel 124 277 278 #define ERRrename 183 … … 1911 1912 1912 1913 #define SAFE_NETBIOS_CHARS ". -_" 1913 1914 1915 #ifndef SAFE_FREE 1916 #define SAFE_FREE(x) do { if ((x) != NULL) {free((x)); (x)=NULL;} } while(0) 1917 #endif 1914 1918 #endif /* _SMB_H */ -
source/include/version.h
diff -ruN samba-2.0.10.orig/source/include/version.h samba-2.0.10/source/include/version.h
old new 1 #define VERSION "2.0.10 "1 #define VERSION "2.0.10-security-rollup" -
source/smbd/filename.c
diff -ruN samba-2.0.10.orig/source/smbd/filename.c samba-2.0.10/source/smbd/filename.c
old new 172 172 * StrnCpy always null terminates. 173 173 */ 174 174 175 StrnCpy(orig_name, full_orig_name, namelen);175 StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1)); 176 176 if(!case_sensitive) 177 177 strupper( orig_name ); 178 178 -
source/smbd/ipc.c
diff -ruN samba-2.0.10.orig/source/smbd/ipc.c samba-2.0.10/source/smbd/ipc.c
old new 3556 3556 uint16 *setup=NULL; 3557 3557 int outsize = 0; 3558 3558 uint16 vuid = SVAL(inbuf,smb_uid); 3559 int tpscnt = SVAL(inbuf,smb_vwv0);3560 int tdscnt = SVAL(inbuf,smb_vwv1);3561 int mprcnt = SVAL(inbuf,smb_vwv2);3562 int mdrcnt = SVAL(inbuf,smb_vwv3);3563 int msrcnt = CVAL(inbuf,smb_vwv4);3559 unsigned int tpscnt = SVAL(inbuf,smb_vwv0); 3560 unsigned int tdscnt = SVAL(inbuf,smb_vwv1); 3561 unsigned int mprcnt = SVAL(inbuf,smb_vwv2); 3562 unsigned int mdrcnt = SVAL(inbuf,smb_vwv3); 3563 unsigned int msrcnt = CVAL(inbuf,smb_vwv4); 3564 3564 BOOL close_on_completion = BITSETW(inbuf+smb_vwv5,0); 3565 3565 BOOL one_way = BITSETW(inbuf+smb_vwv5,1); 3566 int pscnt = SVAL(inbuf,smb_vwv9);3567 int psoff = SVAL(inbuf,smb_vwv10);3568 int dscnt = SVAL(inbuf,smb_vwv11);3569 int dsoff = SVAL(inbuf,smb_vwv12);3570 int suwcnt = CVAL(inbuf,smb_vwv13);3566 unsigned int pscnt = SVAL(inbuf,smb_vwv9); 3567 unsigned int psoff = SVAL(inbuf,smb_vwv10); 3568 unsigned int dscnt = SVAL(inbuf,smb_vwv11); 3569 unsigned int dsoff = SVAL(inbuf,smb_vwv12); 3570 unsigned int suwcnt = CVAL(inbuf,smb_vwv13); 3571 3571 3572 3572 memset(name, '\0',sizeof(name)); 3573 3573 fstrcpy(name,smb_buf(inbuf)); … … 3578 3578 3579 3579 if (tdscnt) { 3580 3580 if((data = (char *)malloc(tdscnt)) == NULL) { 3581 DEBUG(0,("reply_trans: data malloc fail for % dbytes !\n", tdscnt));3581 DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt)); 3582 3582 return(ERROR(ERRDOS,ERRnomem)); 3583 3583 } 3584 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) 3585 goto bad_param; 3586 if (smb_base(inbuf)+dsoff+dscnt > inbuf + size) 3587 goto bad_param; 3588 3584 3589 memcpy(data,smb_base(inbuf)+dsoff,dscnt); 3585 3590 } 3586 3591 3587 3592 if (tpscnt) { 3588 3593 if((params = (char *)malloc(tpscnt)) == NULL) { 3589 DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); 3594 DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt)); 3595 SAFE_FREE(data); 3590 3596 return(ERROR(ERRDOS,ERRnomem)); 3591 3597 } 3598 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) 3599 goto bad_param; 3600 if (smb_base(inbuf)+psoff+pscnt > inbuf + size) 3601 goto bad_param; 3602 3592 3603 memcpy(params,smb_base(inbuf)+psoff,pscnt); 3593 3604 } 3594 3605 3595 3606 if (suwcnt) { 3596 3607 int i; 3597 3608 if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) { 3598 DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16)))); 3599 return(ERROR(ERRDOS,ERRnomem)); 3600 } 3609 DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16)))); 3610 SAFE_FREE(data); 3611 SAFE_FREE(params); 3612 return(ERROR(ERRDOS,ERRnomem)); 3613 } 3614 if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size) 3615 goto bad_param; 3616 if ((smb_vwv14+(suwcnt*SIZEOFWORD) < smb_vwv14) || (smb_vwv14+(suwcnt*SIZEOFWORD) < (suwcnt*SIZEOFWORD))) 3617 goto bad_param; 3618 3601 3619 for (i=0;i<suwcnt;i++) 3602 3620 setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD); 3603 3621 } … … 3614 3632 /* receive the rest of the trans packet */ 3615 3633 while (pscnt < tpscnt || dscnt < tdscnt) { 3616 3634 BOOL ret; 3617 int pcnt,poff,dcnt,doff,pdisp,ddisp;3635 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; 3618 3636 3619 3637 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); 3620 3638 … … 3625 3643 DEBUG(0,("reply_trans: %s in getting secondary trans response.\n", 3626 3644 (smb_read_error == READ_ERROR) ? "error" : "timeout" )); 3627 3645 } 3628 if (params) 3629 free(params); 3630 if (data) 3631 free(data); 3632 if (setup) 3633 free(setup); 3646 SAFE_FREE(params); 3647 SAFE_FREE(data); 3648 SAFE_FREE(setup); 3634 3649 return(ERROR(ERRSRV,ERRerror)); 3635 3650 } 3636 3651 3637 3652 show_msg(inbuf); 3638 3653 3639 tpscnt = SVAL(inbuf,smb_vwv0); 3640 tdscnt = SVAL(inbuf,smb_vwv1); 3654 /* Revise total_params and total_data in case they have changed downwards */ 3655 if (SVAL(inbuf,smb_vwv0) < tpscnt) 3656 tpscnt = SVAL(inbuf,smb_vwv0); 3657 if (SVAL(inbuf,smb_vwv1) < tdscnt) 3658 tdscnt = SVAL(inbuf,smb_vwv1); 3641 3659 3642 3660 pcnt = SVAL(inbuf,smb_vwv2); 3643 3661 poff = SVAL(inbuf,smb_vwv3); … … 3650 3668 pscnt += pcnt; 3651 3669 dscnt += dcnt; 3652 3670 3653 if (dscnt > tdscnt || pscnt > tpscnt) { 3654 exit_server("invalid trans parameters\n"); 3655 } 3671 if (dscnt > tdscnt || pscnt > tpscnt) 3672 goto bad_param; 3656 3673 3657 if (pcnt) 3674 if (pcnt) { 3675 if (pdisp+pcnt >= tpscnt) 3676 goto bad_param; 3677 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) 3678 goto bad_param; 3679 if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) 3680 goto bad_param; 3681 if (params + pdisp < params) 3682 goto bad_param; 3683 3658 3684 memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt); 3659 if (dcnt) 3685 } 3686 3687 if (dcnt) { 3688 if (ddisp+dcnt >= tdscnt) 3689 goto bad_param; 3690 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) 3691 goto bad_param; 3692 if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) 3693 goto bad_param; 3694 if (data + ddisp < data) 3695 goto bad_param; 3696 3660 3697 memcpy(data+ddisp,smb_base(inbuf)+doff,dcnt); 3698 } 3661 3699 } 3662 3663 3700 3664 3701 DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n", 3665 3702 name,tdscnt,tpscnt,suwcnt)); 3666 3703 … … 3700 3737 return(ERROR(ERRSRV,ERRnosupport)); 3701 3738 3702 3739 return(outsize); 3740 3741 bad_param: 3742 3743 DEBUG(0,("reply_trans: invalid trans parameters\n")); 3744 SAFE_FREE(data); 3745 SAFE_FREE(params); 3746 SAFE_FREE(setup); 3747 return(ERROR(ERRSRV,ERRerror)); 3703 3748 } -
source/smbd/nttrans.c
diff -ruN samba-2.0.10.orig/source/smbd/nttrans.c samba-2.0.10/source/smbd/nttrans.c
old new 2575 2575 params = (char *)malloc(total_parameter_count); 2576 2576 if (total_data_count > 0) 2577 2577 data = (char *)malloc(total_data_count); 2578 2578 2579 2579 if ((total_parameter_count && !params) || (total_data_count && !data) || 2580 2580 (setup_count && !setup)) { 2581 SAFE_FREE(setup); 2582 SAFE_FREE(params); 2583 SAFE_FREE(data); 2581 2584 DEBUG(0,("reply_nttrans : Out of memory\n")); 2582 return (ERROR(ERRDOS,ERRnomem));2585 return ERROR(ERRDOS,ERRnomem); 2583 2586 } 2584 2587 2585 2588 /* Copy the param and data bytes sent with this request into … … 2588 2591 num_data_sofar = data_count; 2589 2592 2590 2593 if (parameter_count > total_parameter_count || data_count > total_data_count) 2591 exit_server("reply_nttrans: invalid sizes in packet.\n");2594 goto bad_param; 2592 2595 2593 2596 if(setup) { 2594 memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);2595 2597 DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count)); 2596 dump_data(10, setup, setup_count); 2598 if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) || 2599 (smb_nt_SetupStart + setup_count < setup_count)) 2600 goto bad_param; 2601 if (smb_nt_SetupStart + setup_count > length) 2602 goto bad_param; 2603 2604 memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count); 2597 2605 } 2598 2606 if(params) { 2599 memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);2600 2607 DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count)); 2601 dump_data(10, params, parameter_count); 2608 if ((parameter_offset + parameter_count < parameter_offset) || 2609 (parameter_offset + parameter_count < parameter_count)) 2610 goto bad_param; 2611 if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) 2612 goto bad_param; 2613 2614 memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); 2602 2615 } 2603 2616 if(data) { 2604 memcpy( data, smb_base(inbuf) + data_offset, data_count);2605 2617 DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); 2606 dump_data(10, data, data_count); 2618 if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count)) 2619 goto bad_param; 2620 if (smb_base(inbuf) + data_offset + data_count > inbuf + length) 2621 goto bad_param; 2622 2623 memcpy( data, smb_base(inbuf) + data_offset, data_count); 2624 2607 2625 } 2608 2626 2609 2627 if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { 2610 2628 /* We need to send an interim response then receive the rest 2611 2629 of the parameter/data bytes */ 2612 2630 outsize = set_message(outbuf,0,0,True); 2613 send_smb(Client,outbuf); 2631 if (!send_smb(Client,outbuf)) 2632 exit_server("reply_nttrans: send_smb failed."); 2614 2633 2615 2634 while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { 2616 2635 BOOL ret; 2617 2636 uint32 parameter_displacement; 2637 uint32 data_displacement; 2638 2618 2639 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); 2619 2640 2620 2641 if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) { 2621 2622 2623 2624 2625 2626 2642 outsize = set_message(outbuf,0,0,True); 2643 if(ret) { 2644 DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n")); 2645 } else { 2646 DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n", 2647 (smb_read_error == READ_ERROR) ? "error" : "timeout" )); 2627 2648 } 2628 if(params) 2629 free(params); 2630 if(data) 2631 free(data); 2632 if(setup) 2633 free(setup); 2634 return(ERROR(ERRSRV,ERRerror)); 2649 goto bad_param; 2635 2650 } 2636 2651 2637 2652 /* Revise total_params and total_data in case they have changed downwards */ 2638 total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); 2639 total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); 2640 num_params_sofar += (parameter_count = IVAL(inbuf,smb_nts_ParameterCount)); 2641 num_data_sofar += ( data_count = IVAL(inbuf, smb_nts_DataCount)); 2642 if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) 2643 exit_server("reply_nttrans2: data overflow in secondary nttrans packet\n"); 2644 2645 memcpy( ¶ms[ IVAL(inbuf, smb_nts_ParameterDisplacement)], 2646 smb_base(inbuf) + IVAL(inbuf, smb_nts_ParameterOffset), parameter_count); 2647 memcpy( &data[IVAL(inbuf, smb_nts_DataDisplacement)], 2648 smb_base(inbuf)+ IVAL(inbuf, smb_nts_DataOffset), data_count); 2653 if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count) 2654 total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); 2655 if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count) 2656 total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); 2657 2658 parameter_count = IVAL(inbuf,smb_nts_ParameterCount); 2659 parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset); 2660 parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement); 2661 num_params_sofar += parameter_count; 2662 2663 data_count = IVAL(inbuf, smb_nts_DataCount); 2664 data_displacement = IVAL(inbuf, smb_nts_DataDisplacement); 2665 data_offset = IVAL(inbuf, smb_nts_DataOffset); 2666 num_data_sofar += data_count; 2667 2668 if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) { 2669 DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet")); 2670 goto bad_param; 2671 } 2672 2673 if (parameter_count) { 2674 if (parameter_displacement + parameter_count >= total_parameter_count) 2675 goto bad_param; 2676 if ((parameter_displacement + parameter_count < parameter_displacement) || 2677 (parameter_displacement + parameter_count < parameter_count)) 2678 goto bad_param; 2679 if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) 2680 goto bad_param; 2681 if (params + parameter_displacement < params) 2682 goto bad_param; 2683 2684 memcpy( ¶ms[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count); 2685 } 2686 2687 if (data_count) { 2688 if (data_displacement + data_count >= total_data_count) 2689 goto bad_param; 2690 if ((data_displacement + data_count < data_displacement) || 2691 (data_displacement + data_count < data_count)) 2692 goto bad_param; 2693 if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) 2694 goto bad_param; 2695 if (data + data_displacement < data) 2696 goto bad_param; 2697 2698 memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count); 2699 } 2649 2700 } 2650 2701 } 2651 2702 … … 2714 2765 return outsize; /* If a correct response was needed the call_nt_transact_xxxx 2715 2766 calls have already sent it. If outsize != -1 then it is 2716 2767 returning an error packet. */ 2768 bad_param: 2769 2770 SAFE_FREE(params); 2771 SAFE_FREE(data); 2772 SAFE_FREE(setup); 2773 return ERROR(ERRDOS,ERRinvalidparam); 2717 2774 } -
source/smbd/password.c
diff -ruN samba-2.0.10.orig/source/smbd/password.c samba-2.0.10/source/smbd/password.c
old new 770 770 if (!ok && lp_username(snum)) { 771 771 char *auser; 772 772 pstring user_list; 773 StrnCpy(user_list,lp_username(snum),sizeof(pstring) );773 StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1); 774 774 775 775 pstring_sub(user_list,"%S",lp_servicename(snum)); 776 776 -
source/smbd/reply.c
diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c
old new 1413 1413 1414 1414 for (i=numentries;(i<maxentries) && !finished;i++) 1415 1415 { 1416 /* check to make sure we have room in the buffer */ 1417 if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE ) 1418 break; 1416 1419 finished = 1417 1420 !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend); 1418 1421 if (!finished) … … 3122 3125 3123 3126 3124 3127 for (i=first;i<first+num_to_get;i++) { 3128 /* check to make sure we have room in the buffer */ 3129 if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE ) 3130 break; 3125 3131 put_dos_date2(p,0,queue[i].time); 3126 3132 CVAL(p,4) = (queue[i].status==LPQ_PRINTING?2:3); 3127 3133 SSVAL(p,5,printjob_encode(SNUM(conn), -
source/smbd/trans2.c
diff -ruN samba-2.0.10.orig/source/smbd/trans2.c samba-2.0.10/source/smbd/trans2.c
old new 201 201 int16 open_ofun = SVAL(params,12); 202 202 int32 open_size = IVAL(params,14); 203 203 char *pname = ¶ms[28]; 204 int16 namelen = strlen(pname)+1;205 204 206 205 pstring fname; 207 206 mode_t unixmode; … … 213 212 BOOL bad_path = False; 214 213 files_struct *fsp; 215 214 216 StrnCpy(fname,pname,namelen);215 pstrcpy(fname,pname); 217 216 218 217 DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n", 219 218 fname,open_mode, open_attr, open_ofun, open_size)); … … 2185 2184 unsigned int suwcnt = SVAL(inbuf, smb_suwcnt); 2186 2185 unsigned int tran_call = SVAL(inbuf, smb_setup0); 2187 2186 char *params = NULL, *data = NULL; 2188 int num_params, num_params_sofar, num_data, num_data_sofar;2187 unsigned int num_params, num_params_sofar, num_data, num_data_sofar; 2189 2188 2190 2189 if(global_oplock_break && (tran_call == TRANSACT2_OPEN)) { 2191 2190 /* Queue this open message as we are the process of an … … 2203 2202 /* All trans2 messages we handle have smb_sucnt == 1 - ensure this 2204 2203 is so as a sanity check */ 2205 2204 if (suwcnt != 1) { 2206 DEBUG(2,("Invalid smb_sucnt in trans2 call\n")); 2207 return(ERROR(ERRSRV,ERRerror)); 2205 DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",suwcnt)); 2206 DEBUG(2,("Transaction is %d\n",tran_call)); 2207 ERROR(ERRDOS,ERRinvalidparam); 2208 2208 } 2209 2209 2210 2210 /* Allocate the space for the maximum needed parameters and data */ … … 2215 2215 2216 2216 if ((total_params && !params) || (total_data && !data)) { 2217 2217 DEBUG(2,("Out of memory in reply_trans2\n")); 2218 if(params) 2219 free(params); 2220 if(data) 2221 free(data); 2222 return(ERROR(ERRDOS,ERRnomem)); 2218 SAFE_FREE(params); 2219 SAFE_FREE(data); 2220 return ERROR(ERRDOS,ERRnomem); 2223 2221 } 2224 2222 2225 2223 /* Copy the param and data bytes sent with this request into … … 2230 2228 if (num_params > total_params || num_data > total_data) 2231 2229 exit_server("invalid params in reply_trans2"); 2232 2230 2233 if(params) 2234 memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params); 2235 if(data) 2236 memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data); 2231 if(params) { 2232 unsigned int psoff = SVAL(inbuf, smb_psoff); 2233 if ((psoff + num_params < psoff) || (psoff + num_params < num_params)) 2234 goto bad_param; 2235 if (smb_base(inbuf) + psoff + num_params > inbuf + length) 2236 goto bad_param; 2237 memcpy( params, smb_base(inbuf) + psoff, num_params); 2238 } 2239 if(data) { 2240 unsigned int dsoff = SVAL(inbuf, smb_dsoff); 2241 if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data)) 2242 goto bad_param; 2243 if (smb_base(inbuf) + dsoff + num_data > inbuf + length) 2244 goto bad_param; 2245 memcpy( data, smb_base(inbuf) + dsoff, num_data); 2246 } 2237 2247 2238 2248 if(num_data_sofar < total_data || num_params_sofar < total_params) { 2239 2249 /* We need to send an interim response then receive the rest 2240 2250 of the parameter/data bytes */ 2241 2251 outsize = set_message(outbuf,0,0,True); 2242 send_smb(Client,outbuf); 2252 if (!send_smb(Client,outbuf)) 2253 exit_server("reply_trans2: send_smb failed."); 2243 2254 2244 2255 while (num_data_sofar < total_data || 2245 2256 num_params_sofar < total_params) { 2246 2257 BOOL ret; 2258 unsigned int param_disp; 2259 unsigned int param_off; 2260 unsigned int data_disp; 2261 unsigned int data_off; 2247 2262 2248 2263 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); 2249 2264 … … 2255 2270 else 2256 2271 DEBUG(0,("reply_trans2: %s in getting secondary trans2 response.\n", 2257 2272 (smb_read_error == READ_ERROR) ? "error" : "timeout" )); 2258 if(params) 2259 free(params); 2260 if(data) 2261 free(data); 2262 return(ERROR(ERRSRV,ERRerror)); 2273 goto bad_param; 2263 2274 } 2264 2275 2265 2276 /* Revise total_params and total_data in case 2266 2277 they have changed downwards */ 2267 total_params = SVAL(inbuf, smb_tpscnt); 2268 total_data = SVAL(inbuf, smb_tdscnt); 2269 num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt)); 2270 num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt)); 2278 if (SVAL(inbuf, smb_tpscnt) < total_params) 2279 total_params = SVAL(inbuf, smb_tpscnt); 2280 if (SVAL(inbuf, smb_tdscnt) < total_data) 2281 total_data = SVAL(inbuf, smb_tdscnt); 2282 2283 num_params = SVAL(inbuf,smb_spscnt); 2284 param_off = SVAL(inbuf, smb_spsoff); 2285 param_disp = SVAL(inbuf, smb_spsdisp); 2286 num_params_sofar += num_params; 2287 2288 num_data = SVAL(inbuf, smb_sdscnt); 2289 data_off = SVAL(inbuf, smb_sdsoff); 2290 data_disp = SVAL(inbuf, smb_sdsdisp); 2291 num_data_sofar += num_data; 2292 2271 2293 if (num_params_sofar > total_params || num_data_sofar > total_data) 2272 exit_server("data overflow in trans2");2294 goto bad_param; 2273 2295 2274 memcpy( ¶ms[ SVAL(inbuf, smb_spsdisp)], 2275 smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params); 2276 memcpy( &data[SVAL(inbuf, smb_sdsdisp)], 2277 smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data); 2296 if (num_params) { 2297 if (param_disp + num_params >= total_params) 2298 goto bad_param; 2299 if ((param_disp + num_params < param_disp) || 2300 (param_disp + num_params < num_params)) 2301 goto bad_param; 2302 if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) 2303 goto bad_param; 2304 if (params + param_disp < params) 2305 goto bad_param; 2306 2307 memcpy( ¶ms[param_disp], smb_base(inbuf) + param_off, num_params); 2308 } 2309 if (num_data) { 2310 if (data_disp + num_data >= total_data) 2311 goto bad_param; 2312 if ((data_disp + num_data < data_disp) || 2313 (data_disp + num_data < num_data)) 2314 goto bad_param; 2315 if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) 2316 goto bad_param; 2317 if (data + data_disp < data) 2318 goto bad_param; 2319 2320 memcpy( &data[data_disp], smb_base(inbuf) + data_off, num_data); 2321 } 2278 2322 } 2279 2323 } 2280 2324 … … 2367 2411 return outsize; /* If a correct response was needed the 2368 2412 call_trans2xxx calls have already sent 2369 2413 it. If outsize != -1 then it is returning */ 2414 2415 bad_param: 2416 2417 SAFE_FREE(params); 2418 SAFE_FREE(data); 2419 return (ERROR(ERRDOS,ERRinvalidparam)); 2370 2420 }
Note:
See TracBrowser
for help on using the repository browser.
