diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-07-31 11:57:56 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-07-31 11:57:56 +0000 |
commit | 2307a6f50469b08054fad714ede98ca86fe30dcf (patch) | |
tree | 62c151549365c745248e6c069b71cbc1e42c62fc | |
parent | f5a85fe24759b076ffd39583b0db24aa92693100 (diff) | |
download | samba-2307a6f50469b08054fad714ede98ca86fe30dcf.tar.gz samba-2307a6f50469b08054fad714ede98ca86fe30dcf.tar.bz2 samba-2307a6f50469b08054fad714ede98ca86fe30dcf.zip |
Rework parinioa to ensure we never get passwords longer than MAX_PASS_LEN, nor
longer than the buffer they claim to be in.
Many thanks to tridge for explaining the macros.
Andrew Bartlett
(This used to be commit 3efd462bf2f1ed50c108c2b8ddecc461d002745d)
-rw-r--r-- | source3/smbd/sesssetup.c | 29 |
1 files changed, 11 insertions, 18 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 71ca7dda52..deab1015f5 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -630,14 +630,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, if (Protocol < PROTOCOL_NT1) { uint16 passlen1 = SVAL(inbuf,smb_vwv7); - if (passlen1 > MAX_PASS_LEN) { - return ERROR_DOS(ERRDOS,ERRbuftoosmall); - } - - if (passlen1 > smb_buflen(inbuf)) { + if ((passlen1 > MAX_PASS_LEN) || (passlen1 > smb_bufrem(inbuf, smb_buf(inbuf)))) { return ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - + if (doencrypt) { lm_resp = data_blob(smb_buf(inbuf), passlen1); } else { @@ -669,13 +665,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, } } - if (passlen1 > MAX_PASS_LEN) { - return ERROR_DOS(ERRDOS,ERRbuftoosmall); - } - - passlen1 = MIN(passlen1, MAX_PASS_LEN); - passlen2 = MIN(passlen2, MAX_PASS_LEN); - if (!doencrypt) { /* both Win95 and WinNT stuff up the password lengths for non-encrypting systems. Uggh. @@ -693,17 +682,21 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, passlen2 = 0; } + /* check for nasty tricks */ + if (passlen1 > MAX_PASS_LEN || passlen1 > smb_bufrem(inbuf, p)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + if (passlen2 > MAX_PASS_LEN || passlen2 > smb_bufrem(inbuf, p+passlen1)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + /* Save the lanman2 password and the NT md4 password. */ if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) { doencrypt = False; } - /* check for nasty tricks */ - if (passlen1 > smb_buflen(inbuf) || passlen2 > smb_buflen(inbuf)) { - return ERROR_NT(NT_STATUS_INVALID_PARAMETER); - } - if (doencrypt) { lm_resp = data_blob(p, passlen1); nt_resp = data_blob(p+passlen1, passlen2); |