summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-11-29 13:24:14 -0800
committerJeremy Allison <jra@samba.org>2007-11-29 13:24:14 -0800
commit42c87fe6e6036a56b178183b034275321949050d (patch)
tree91d3b77fce22a538a0d6ee2d5c8f2c5f4045807e
parentce2844f30de231b8d1c45393f4af73ebe53680ed (diff)
downloadsamba-42c87fe6e6036a56b178183b034275321949050d.tar.gz
samba-42c87fe6e6036a56b178183b034275321949050d.tar.bz2
samba-42c87fe6e6036a56b178183b034275321949050d.zip
Remove pstrings. Ensure we validate offsets.
Jeremy. (This used to be commit ff06cc34e66a18ba71dd54f6c78b05a45b9f2d85)
-rw-r--r--source3/libsmb/clilist.c196
1 files changed, 132 insertions, 64 deletions
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index fd0c380409..64cb3e8fe3 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
client directory list routines
Copyright (C) Andrew Tridgell 1994-1998
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -22,18 +22,41 @@
extern file_info def_finfo;
/****************************************************************************
+ Calculate a safe next_entry_offset.
+****************************************************************************/
+
+static size_t calc_next_entry_offset(const char *base, const char *pdata_end)
+{
+ size_t next_entry_offset = (size_t)IVAL(base,0);
+
+ if (next_entry_offset == 0 ||
+ base + next_entry_offset < base ||
+ base + next_entry_offset > pdata_end) {
+ next_entry_offset = pdata_end - base;
+ }
+ return next_entry_offset;
+}
+
+/****************************************************************************
Interpret a long filename structure - this is mostly guesses at the moment.
The length of the structure is returned
The structure of a long filename depends on the info level. 260 is used
by NT and 2 is used by OS/2
****************************************************************************/
-static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,file_info *finfo,
- uint32 *p_resume_key, DATA_BLOB *p_last_name_raw, uint32 *p_last_name_raw_len)
+static size_t interpret_long_filename(struct cli_state *cli,
+ int level,
+ const char *p,
+ const char *pdata_end,
+ file_info *finfo,
+ uint32 *p_resume_key,
+ DATA_BLOB *p_last_name_raw)
{
file_info finfo2;
int len;
- char *base = p;
+ const char *base = p;
+
+ data_blob_free(p_last_name_raw);
if (!finfo) {
finfo = &finfo2;
@@ -49,6 +72,9 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
case 1: /* OS/2 understands this */
/* these dates are converted to GMT by
make_unix_date */
+ if (pdata_end - base < 27) {
+ return pdata_end - base;
+ }
finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4));
finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8));
finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12));
@@ -57,19 +83,25 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
len = CVAL(p, 26);
p += 27;
p += clistr_align_in(cli, p, 0);
+ if (p + len + 2 > pdata_end) {
+ return pdata_end - base;
+ }
/* the len+2 below looks strange but it is
important to cope with the differences
between win2000 and win9x for this call
(tridge) */
p += clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
- len+2,
+ len+2,
STR_TERMINATE);
return PTR_DIFF(p, base);
case 2: /* this is what OS/2 uses mostly */
/* these dates are converted to GMT by
make_unix_date */
+ if (pdata_end - base < 31) {
+ return pdata_end - base;
+ }
finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4));
finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8));
finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12));
@@ -78,22 +110,30 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
len = CVAL(p, 30);
p += 31;
/* check for unisys! */
+ if (p + len + 1 > pdata_end) {
+ return pdata_end - base;
+ }
p += clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
- len,
+ len,
STR_NOALIGN);
return PTR_DIFF(p, base) + 1;
-
+
case 260: /* NT uses this, but also accepts 2 */
{
size_t namelen, slen;
+
+ if (pdata_end - base < 94) {
+ return pdata_end - base;
+ }
+
p += 4; /* next entry offset */
if (p_resume_key) {
*p_resume_key = IVAL(p,0);
}
p += 4; /* fileindex */
-
+
/* Offset zero is "create time", not "change time". */
p += 8;
finfo->atime_ts = interpret_long_date(p);
@@ -111,7 +151,11 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
p += 4;
p += 4; /* EA size */
slen = SVAL(p, 0);
- p += 2;
+ if (slen > 24) {
+ /* Bad short name length. */
+ return pdata_end - base;
+ }
+ p += 2;
{
/* stupid NT bugs. grr */
int flags = 0;
@@ -120,7 +164,10 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
sizeof(finfo->short_name),
slen, flags);
}
- p += 24; /* short name? */
+ p += 24; /* short name? */
+ if (p + namelen < p || p + namelen > pdata_end) {
+ return pdata_end - base;
+ }
clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
namelen, 0);
@@ -130,29 +177,24 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
Namelen doesn't include the terminating unicode null, so
copy it here. */
- if (p_last_name_raw && p_last_name_raw_len) {
- if (namelen + 2 > p_last_name_raw->length) {
- memset(p_last_name_raw->data, '\0', sizeof(p_last_name_raw->length));
- *p_last_name_raw_len = 0;
- } else {
- memcpy(p_last_name_raw->data, p, namelen);
- SSVAL(p_last_name_raw->data, namelen, 0);
- *p_last_name_raw_len = namelen + 2;
- }
+ if (p_last_name_raw) {
+ *p_last_name_raw = data_blob(NULL, namelen+2);
+ memcpy(p_last_name_raw->data, p, namelen);
+ SSVAL(p_last_name_raw->data, namelen, 0);
}
- return (size_t)IVAL(base, 0);
+ return calc_next_entry_offset(base, pdata_end);
}
}
-
+
DEBUG(1,("Unknown long filename format %d\n",level));
- return (size_t)IVAL(base,0);
+ return calc_next_entry_offset(base, pdata_end);
}
/****************************************************************************
Do a directory listing, calling fn on each file found.
****************************************************************************/
-int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
+int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
#if 1
@@ -161,8 +203,8 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
int max_matches = 512;
#endif
int info_level;
- char *p, *p2;
- pstring mask;
+ char *p, *p2, *rdata_end;
+ char *mask = NULL;
file_info finfo;
int i;
char *dirlist = NULL;
@@ -174,19 +216,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
int ff_dir_handle=0;
int loop_count = 0;
char *rparam=NULL, *rdata=NULL;
- unsigned int param_len, data_len;
+ unsigned int param_len, data_len;
uint16 setup;
- pstring param;
+ char param[1024];
const char *mnt;
uint32 resume_key = 0;
- uint32 last_name_raw_len = 0;
- DATA_BLOB last_name_raw = data_blob(NULL, 2*sizeof(pstring));
+ DATA_BLOB last_name_raw = data_blob(NULL, 0);
/* NT uses 260, OS/2 uses 2. Both accept 1. */
info_level = (cli->capabilities&CAP_NT_SMBS)?260:1;
-
- pstrcpy(mask,Mask);
-
+
+ mask = SMB_STRDUP(Mask);
+ if (!mask) {
+ return -1;
+ }
+
while (ff_eos == 0) {
loop_count++;
if (loop_count > 200) {
@@ -199,16 +243,16 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
SSVAL(param,0,attribute); /* attribute */
SSVAL(param,2,max_matches); /* max count */
SSVAL(param,4,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */
- SSVAL(param,6,info_level);
+ SSVAL(param,6,info_level);
SIVAL(param,8,0);
p = param+12;
- p += clistr_push(cli, param+12, mask, sizeof(param)-12,
+ p += clistr_push(cli, param+12, mask, sizeof(param)-12,
STR_TERMINATE);
} else {
setup = TRANSACT2_FINDNEXT;
SSVAL(param,0,ff_dir_handle);
SSVAL(param,2,max_matches); /* max count */
- SSVAL(param,4,info_level);
+ SSVAL(param,4,info_level);
/* For W2K servers serving out FAT filesystems we *must* set the
resume key. If it's not FAT then it's returned as zero. */
SIVAL(param,6,resume_key); /* ff_resume_key */
@@ -216,9 +260,9 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
can miss filenames. Use last filename continue instead. JRA */
SSVAL(param,10,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */
p = param+12;
- if (last_name_raw_len && (last_name_raw_len < (sizeof(param)-12))) {
- memcpy(p, last_name_raw.data, last_name_raw_len);
- p += last_name_raw_len;
+ if (last_name_raw.length && (last_name_raw.length < (sizeof(param)-12))) {
+ memcpy(p, last_name_raw.data, last_name_raw.length);
+ p += last_name_raw.length;
} else {
p += clistr_push(cli, param+12, mask, sizeof(param)-12, STR_TERMINATE);
}
@@ -226,12 +270,12 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
param_len = PTR_DIFF(p, param);
- if (!cli_send_trans(cli, SMBtrans2,
+ if (!cli_send_trans(cli, SMBtrans2,
NULL, /* Name */
-1, 0, /* fid, flags */
&setup, 1, 0, /* setup, length, max */
param, param_len, 10, /* param, length, max */
- NULL, 0,
+ NULL, 0,
#if 0
/* w2k value. */
MIN(16384,cli->max_xmit) /* data, length, max. */
@@ -242,7 +286,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
break;
}
- if (!cli_receive_trans(cli, SMBtrans2,
+ if (!cli_receive_trans(cli, SMBtrans2,
&rparam, &param_len,
&rdata, &data_len) &&
cli_is_dos_error(cli)) {
@@ -289,15 +333,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
/* point to the data bytes */
p = rdata;
+ rdata_end = rdata + data_len;
/* we might need the lastname for continuations */
- for (p2=p,i=0;i<ff_searchcount;i++) {
+ for (p2=p,i=0;i<ff_searchcount && p2 < rdata_end;i++) {
if ((info_level == 260) && (i == ff_searchcount-1)) {
/* Last entry - fixup the last offset length. */
SIVAL(p2,0,PTR_DIFF((rdata + data_len),p2));
}
- p2 += interpret_long_filename(cli,info_level,p2,&finfo,
- &resume_key,&last_name_raw,&last_name_raw_len);
+ p2 += interpret_long_filename(cli,
+ info_level,
+ p2,
+ rdata_end,
+ &finfo,
+ &resume_key,
+ &last_name_raw);
if (!First && *mask && strcsequal(finfo.name, mask)) {
DEBUG(0,("Error: Looping in FIND_NEXT as name %s has already been seen?\n",
@@ -307,10 +357,16 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
}
}
+ SAFE_FREE(mask);
if (ff_searchcount > 0) {
- pstrcpy(mask, finfo.name);
+ mask = SMB_STRDUP(finfo.name);
} else {
- pstrcpy(mask,"");
+ mask = SMB_STRDUP("");
+ }
+ if (!mask) {
+ SAFE_FREE(rdata);
+ SAFE_FREE(rparam);
+ break;
}
/* grab the data for later use */
@@ -348,9 +404,15 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
total_received = -1;
} else {
/* no connection problem. let user function add each entry */
+ rdata_end = dirlist + dirlist_len;
for (p=dirlist,i=0;i<total_received;i++) {
- p += interpret_long_filename(cli, info_level, p,
- &finfo,NULL,NULL,NULL);
+ p += interpret_long_filename(cli,
+ info_level,
+ p,
+ rdata_end,
+ &finfo,
+ NULL,
+ NULL);
fn( mnt,&finfo, Mask, state );
}
}
@@ -358,6 +420,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
/* free up the dirlist buffer and last name raw blob */
SAFE_FREE(dirlist);
data_blob_free(&last_name_raw);
+ SAFE_FREE(mask);
return(total_received);
}
@@ -373,7 +436,7 @@ static int interpret_short_filename(struct cli_state *cli, char *p,file_info *fi
finfo->cli = cli;
finfo->mode = CVAL(p,21);
-
+
/* this date is converted to GMT by make_unix_date */
finfo->ctime_ts.tv_sec = cli_make_unix_date(cli, p+22);
finfo->ctime_ts.tv_nsec = 0;
@@ -396,7 +459,7 @@ static int interpret_short_filename(struct cli_state *cli, char *p,file_info *fi
but should otherwise not be used.
****************************************************************************/
-int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
+int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
char *p;
@@ -407,12 +470,15 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
int num_received = 0;
int i;
char *dirlist = NULL;
- pstring mask;
-
+ char *mask = NULL;
+
ZERO_ARRAY(status);
- pstrcpy(mask,Mask);
-
+ mask = SMB_STRDUP(Mask);
+ if (!mask) {
+ return -1;
+ }
+
while (1) {
memset(cli->outbuf,'\0',smb_size);
memset(cli->inbuf,'\0',smb_size);
@@ -426,10 +492,10 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
SSVAL(cli->outbuf,smb_vwv0,num_asked);
SSVAL(cli->outbuf,smb_vwv1,attribute);
-
+
p = smb_buf(cli->outbuf);
*p++ = 4;
-
+
p += clistr_push(cli, p, first?mask:"", -1, STR_TERMINATE);
*p++ = 5;
if (first) {
@@ -455,6 +521,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
dirlist,(num_received + received)*DIR_STRUCT_SIZE);
if (!dirlist) {
DEBUG(0,("cli_list_old: failed to expand dirlist"));
+ SAFE_FREE(mask);
return 0;
}
@@ -462,11 +529,11 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
memcpy(dirlist+num_received*DIR_STRUCT_SIZE,
p,received*DIR_STRUCT_SIZE);
-
+
memcpy(status,p + ((received-1)*DIR_STRUCT_SIZE),21);
-
+
num_received += received;
-
+
if (cli_is_error(cli)) break;
}
@@ -491,7 +558,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
p += 2;
memcpy(p,status,21);
p += 21;
-
+
cli_setup_bcc(cli, p);
cli_send_smb(cli);
if (!cli_receive_smb(cli)) {
@@ -505,6 +572,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
fn("\\", &finfo, Mask, state);
}
+ SAFE_FREE(mask);
SAFE_FREE(dirlist);
return(num_received);
}
@@ -514,7 +582,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
This auto-switches between old and new style.
****************************************************************************/
-int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute,
+int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
if (cli->protocol <= PROTOCOL_LANMAN1)