summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-07-31 11:57:56 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-07-31 11:57:56 +0000
commit2307a6f50469b08054fad714ede98ca86fe30dcf (patch)
tree62c151549365c745248e6c069b71cbc1e42c62fc
parentf5a85fe24759b076ffd39583b0db24aa92693100 (diff)
downloadsamba-2307a6f50469b08054fad714ede98ca86fe30dcf.tar.gz
samba-2307a6f50469b08054fad714ede98ca86fe30dcf.tar.bz2
samba-2307a6f50469b08054fad714ede98ca86fe30dcf.zip
Rework parinioa to ensure we never get passwords longer than MAX_PASS_LEN, nor
longer than the buffer they claim to be in. Many thanks to tridge for explaining the macros. Andrew Bartlett (This used to be commit 3efd462bf2f1ed50c108c2b8ddecc461d002745d)
-rw-r--r--source3/smbd/sesssetup.c29
1 files changed, 11 insertions, 18 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 71ca7dda52..deab1015f5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -630,14 +630,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
if (Protocol < PROTOCOL_NT1) {
uint16 passlen1 = SVAL(inbuf,smb_vwv7);
- if (passlen1 > MAX_PASS_LEN) {
- return ERROR_DOS(ERRDOS,ERRbuftoosmall);
- }
-
- if (passlen1 > smb_buflen(inbuf)) {
+ if ((passlen1 > MAX_PASS_LEN) || (passlen1 > smb_bufrem(inbuf, smb_buf(inbuf)))) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
-
+
if (doencrypt) {
lm_resp = data_blob(smb_buf(inbuf), passlen1);
} else {
@@ -669,13 +665,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
}
}
- if (passlen1 > MAX_PASS_LEN) {
- return ERROR_DOS(ERRDOS,ERRbuftoosmall);
- }
-
- passlen1 = MIN(passlen1, MAX_PASS_LEN);
- passlen2 = MIN(passlen2, MAX_PASS_LEN);
-
if (!doencrypt) {
/* both Win95 and WinNT stuff up the password lengths for
non-encrypting systems. Uggh.
@@ -693,17 +682,21 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
passlen2 = 0;
}
+ /* check for nasty tricks */
+ if (passlen1 > MAX_PASS_LEN || passlen1 > smb_bufrem(inbuf, p)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (passlen2 > MAX_PASS_LEN || passlen2 > smb_bufrem(inbuf, p+passlen1)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
/* Save the lanman2 password and the NT md4 password. */
if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
doencrypt = False;
}
- /* check for nasty tricks */
- if (passlen1 > smb_buflen(inbuf) || passlen2 > smb_buflen(inbuf)) {
- return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- }
-
if (doencrypt) {
lm_resp = data_blob(p, passlen1);
nt_resp = data_blob(p+passlen1, passlen2);