Attachment #23352 for bug #59883

View | Details | Raw Unified | Return to bug 59883
Collapse All | Expand All

Lines 475-480 Link Here

(-)samba-3.0.5-orig/source/libsmb/nmblib.c (+5 lines)
475	dgram->datasize = length-offset;	475	dgram->datasize = length-offset;
476	memcpy(dgram->data,inbuf+offset,dgram->datasize);	476	memcpy(dgram->data,inbuf+offset,dgram->datasize);
477		477
		478	/* Paranioa. Ensure the last 2 bytes in the dgram buffer are
		479	zero. This should be true anyway, just enforce it for paranioa sake. JRA. */
		480	SMB_ASSERT(dgram->datasize <= (sizeof(dgram->data)-2));
		481	memset(&dgram->data[sizeof(dgram->data)-2], '\0', 2);
		482
478	return(True);	483	return(True);
479	}	484	}
480		485

Lines 1203-1208 Link Here

(-)samba-3.0.5-orig/source/nmbd/nmbd_packets.c (-6 / +38 lines)
1203	return;	1203	return;
1204	}	1204	}
1205		1205
		1206	/* Ensure we have a large enough packet before looking inside. */
		1207	if (dgram->datasize < (smb_vwv12 - 2)) {
		1208	/* That's the offset minus the 4 byte length + 2 bytes of offset. */
		1209	DEBUG(0,("process_dgram: ignoring too short dgram packet (%u) sent to name %s from IP %s\n",
		1210	(unsigned int)dgram->datasize,
		1211	nmb_namestr(&dgram->dest_name),
		1212	inet_ntoa(p->ip) ));
		1213	return;
		1214	}
		1215
1206	buf = &dgram->data[0];	1216	buf = &dgram->data[0];
1207	buf -= 4; /* XXXX for the pseudo tcp length - someday I need to get rid of this */	1217	buf -= 4; /* XXXX for the pseudo tcp length - someday I need to get rid of this */
1208		1218
Lines 1212-1225 Link Here
1212	len = SVAL(buf,smb_vwv11);	1222	len = SVAL(buf,smb_vwv11);
1213	buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);	1223	buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);
1214		1224
1215	if (len <= 0)	1225	if (len <= 0 \|\| len > dgram->datasize) {
		1226	DEBUG(0,("process_dgram: ignoring malformed1 (datasize = %d, len = %d) datagram \
		1227	packet sent to name %s from IP %s\n",
		1228	dgram->datasize,
		1229	len,
		1230	nmb_namestr(&dgram->dest_name),
		1231	inet_ntoa(p->ip) ));
1216	return;	1232	return;
		1233	}
1217		1234
1218	if (buf2 + len > buf + sizeof(dgram->data)) {	1235	if (buf2 < dgram->data \|\| (buf2 >= dgram->data + dgram->datasize)) {
1219	DEBUG(2,("process_dgram: datagram from %s to %s IP %s for %s len=%d too long.\n",	1236	DEBUG(0,("process_dgram: ignoring malformed2 (datasize = %d, len=%d, off=%d) datagram \
1220	nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),	1237	packet sent to name %s from IP %s\n",
1221	inet_ntoa(p->ip), smb_buf(buf),len));	1238	dgram->datasize,
1222	len = (buf + sizeof(dgram->data)) - buf;	1239	len,
		1240	PTR_DIFF(buf2, dgram->data),
		1241	nmb_namestr(&dgram->dest_name),
		1242	inet_ntoa(p->ip) ));
		1243	return;
		1244	}
		1245
		1246	if ((buf2 + len < dgram->data) \|\| (buf2 + len > dgram->data + dgram->datasize)) {
		1247	DEBUG(0,("process_dgram: ignoring malformed3 (datasize = %d, len=%d, off=%d) datagram \
		1248	packet sent to name %s from IP %s\n",
		1249	dgram->datasize,
		1250	len,
		1251	PTR_DIFF(buf2, dgram->data),
		1252	nmb_namestr(&dgram->dest_name),
		1253	inet_ntoa(p->ip) ));
		1254	return;
1223	}	1255	}
1224		1256
1225	DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",	1257	DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",

Lines 102-109 Link Here

(-)samba-3.0.5-orig/source/nmbd/nmbd_processlogon.c (+102 lines)
102	char *machine = q;	102	char *machine = q;
103	char *user = skip_string(machine,1);	103	char *user = skip_string(machine,1);
104		104
		105	if (PTR_DIFF(user, buf) >= len) {
		106	DEBUG(0,("process_logon_packet: bad packet\n"));
		107	return;
		108	}
105	getdc = skip_string(user,1);	109	getdc = skip_string(user,1);
		110
		111	if (PTR_DIFF(getdc, buf) >= len) {
		112	DEBUG(0,("process_logon_packet: bad packet\n"));
		113	return;
		114	}
106	q = skip_string(getdc,1);	115	q = skip_string(getdc,1);
		116
		117	if (PTR_DIFF(q + 5, buf) > len) {
		118	DEBUG(0,("process_logon_packet: bad packet\n"));
		119	return;
		120	}
107	token = SVAL(q,3);	121	token = SVAL(q,3);
108		122
109	fstrcpy(reply_name,my_name);	123	fstrcpy(reply_name,my_name);
Lines 151-157 Link Here
151	}	165	}
152		166
153	getdc = skip_string(machine,1);	167	getdc = skip_string(machine,1);
		168
		169	if (PTR_DIFF(getdc, buf) >= len) {
		170	DEBUG(0,("process_logon_packet: bad packet\n"));
		171	return;
		172	}
154	q = skip_string(getdc,1);	173	q = skip_string(getdc,1);
		174
		175	if (PTR_DIFF(q, buf) >= len) {
		176	DEBUG(0,("process_logon_packet: bad packet\n"));
		177	return;
		178	}
155	q = ALIGN2(q, buf);	179	q = ALIGN2(q, buf);
156		180
157	/* At this point we can work out if this is a W9X or NT style	181	/* At this point we can work out if this is a W9X or NT style
Lines 165-173 Link Here
165	} else {	189	} else {
166	unicomp = q;	190	unicomp = q;
167		191
		192	if (PTR_DIFF(q, buf) >= len) {
		193	DEBUG(0,("process_logon_packet: bad packet\n"));
		194	return;
		195	}
		196
168	/* A full length (NT style) request */	197	/* A full length (NT style) request */
169	q = skip_unibuf(unicomp, PTR_DIFF(buf + len, unicomp));	198	q = skip_unibuf(unicomp, PTR_DIFF(buf + len, unicomp));
170		199
		200	if (PTR_DIFF(q, buf) >= len) {
		201	DEBUG(0,("process_logon_packet: bad packet\n"));
		202	return;
		203	}
		204
171	if (len - PTR_DIFF(q, buf) > 8) {	205	if (len - PTR_DIFF(q, buf) > 8) {
172	/* with NT5 clients we can sometimes	206	/* with NT5 clients we can sometimes
173	get additional data - a length specificed string	207	get additional data - a length specificed string
Lines 180-185 Link Here
180	}	214	}
181	q += 16;	215	q += 16;
182	}	216	}
		217
		218	if (PTR_DIFF(q + 8, buf) > len) {
		219	DEBUG(0,("process_logon_packet: bad packet\n"));
		220	return;
		221	}
		222
183	ntversion = IVAL(q, 0);	223	ntversion = IVAL(q, 0);
184	lmnttoken = SVAL(q, 4);	224	lmnttoken = SVAL(q, 4);
185	lm20token = SVAL(q, 6);	225	lm20token = SVAL(q, 6);
Lines 240-249 Link Here
240	fstring asccomp;	280	fstring asccomp;
241		281
242	q += 2;	282	q += 2;
		283
		284	if (PTR_DIFF(q, buf) >= len) {
		285	DEBUG(0,("process_logon_packet: bad packet\n"));
		286	return;
		287	}
		288
243	unicomp = q;	289	unicomp = q;
244	uniuser = skip_unibuf(unicomp, PTR_DIFF(buf+len, unicomp));	290	uniuser = skip_unibuf(unicomp, PTR_DIFF(buf+len, unicomp));
		291
		292	if (PTR_DIFF(uniuser, buf) >= len) {
		293	DEBUG(0,("process_logon_packet: bad packet\n"));
		294	return;
		295	}
		296
245	getdc = skip_unibuf(uniuser,PTR_DIFF(buf+len, uniuser));	297	getdc = skip_unibuf(uniuser,PTR_DIFF(buf+len, uniuser));
		298
		299	if (PTR_DIFF(getdc, buf) >= len) {
		300	DEBUG(0,("process_logon_packet: bad packet\n"));
		301	return;
		302	}
		303
246	q = skip_string(getdc,1);	304	q = skip_string(getdc,1);
		305
		306	if (PTR_DIFF(q + 8, buf) >= len) {
		307	DEBUG(0,("process_logon_packet: bad packet\n"));
		308	return;
		309	}
		310
247	q += 4; /* Account Control Bits - indicating username type */	311	q += 4; /* Account Control Bits - indicating username type */
248	domainsidsize = IVAL(q, 0);	312	domainsidsize = IVAL(q, 0);
249	q += 4;	313	q += 4;
Lines 270-275 Link Here
270	q += 16;	334	q += 16;
271	}	335	}
272		336
		337	if (PTR_DIFF(q + 8, buf) > len) {
		338	DEBUG(0,("process_logon_packet: bad packet\n"));
		339	return;
		340	}
		341
273	ntversion = IVAL(q, 0);	342	ntversion = IVAL(q, 0);
274	lmnttoken = SVAL(q, 4);	343	lmnttoken = SVAL(q, 4);
275	lm20token = SVAL(q, 6);	344	lm20token = SVAL(q, 6);
Lines 458-463 Link Here
458		527
459	/* Header */	528	/* Header */
460		529
		530	if (PTR_DIFF(q + 16, buf) >= len) {
		531	DEBUG(0,("process_logon_packet: bad packet\n"));
		532	return;
		533	}
		534
461	low_serial = IVAL(q, 0); q += 4; /* Low serial number */	535	low_serial = IVAL(q, 0); q += 4; /* Low serial number */
462		536
463	q += 4; /* Date/time */	537	q += 4; /* Date/time */
Lines 467-480 Link Here
467	/* Domain info */	541	/* Domain info */
468		542
469	q = skip_string(q, 1); /* PDC name */	543	q = skip_string(q, 1); /* PDC name */
		544
		545	if (PTR_DIFF(q, buf) >= len) {
		546	DEBUG(0,("process_logon_packet: bad packet\n"));
		547	return;
		548	}
		549
470	q = skip_string(q, 1); /* Domain name */	550	q = skip_string(q, 1); /* Domain name */
		551
		552	if (PTR_DIFF(q, buf) >= len) {
		553	DEBUG(0,("process_logon_packet: bad packet\n"));
		554	return;
		555	}
		556
471	q = skip_unibuf(q, PTR_DIFF(buf + len, q)); /* Unicode PDC name */	557	q = skip_unibuf(q, PTR_DIFF(buf + len, q)); /* Unicode PDC name */
		558
		559	if (PTR_DIFF(q, buf) >= len) {
		560	DEBUG(0,("process_logon_packet: bad packet\n"));
		561	return;
		562	}
		563
472	q = skip_unibuf(q, PTR_DIFF(buf + len, q)); /* Unicode domain name */	564	q = skip_unibuf(q, PTR_DIFF(buf + len, q)); /* Unicode domain name */
473		565
474	/* Database info */	566	/* Database info */
475		567
		568	if (PTR_DIFF(q + 2, buf) >= len) {
		569	DEBUG(0,("process_logon_packet: bad packet\n"));
		570	return;
		571	}
		572
476	db_count = SVAL(q, 0); q += 2;	573	db_count = SVAL(q, 0); q += 2;
477		574
		575	if (PTR_DIFF(q + (db_count*20), buf) >= len) {
		576	DEBUG(0,("process_logon_packet: bad packet\n"));
		577	return;
		578	}
		579
478	db_info = (struct sam_database_info *)	580	db_info = (struct sam_database_info *)
479	malloc(sizeof(struct sam_database_info) * db_count);	581	malloc(sizeof(struct sam_database_info) * db_count);
480		582

Return to bug 59883