diff options
author | Andrew Tridgell <tridge@samba.org> | 2008-05-28 16:58:34 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2008-05-28 16:58:34 +1000 |
commit | 0be9746e1fc47aff93c1d77d256f4fb7942529d6 (patch) | |
tree | 1945ef3e4fafd3d07afc1aa617ec8d3ed5488e0e | |
parent | 082272e49d3cb8022a43fff5bfbcdf79adb5a44f (diff) | |
download | samba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.tar.gz samba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.tar.bz2 samba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.zip |
ensure we don't change the incoming blobs in a SMB2 create
(This used to be commit a6cc89fffe8c149b540f2125cea57f31331d5460)
-rw-r--r-- | source4/libcli/smb2/create.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/libcli/smb2/create.c b/source4/libcli/smb2/create.c index b976b528f1..bff0a1587d 100644 --- a/source4/libcli/smb2/create.c +++ b/source4/libcli/smb2/create.c @@ -59,6 +59,7 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer, next > remaining || name_offset < 16 || name_offset > remaining || + name_length != 4 || /* windows enforces this */ name_offset + name_length > remaining || data_offset < name_offset + name_length || data_offset > remaining || @@ -190,7 +191,10 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create struct smb2_request *req; NTSTATUS status; DATA_BLOB blob; - struct smb2_create_blobs blobs = io->in.blobs; + struct smb2_create_blobs blobs; + int i; + + ZERO_STRUCT(blobs); req = smb2_request_init_tree(tree, SMB2_OP_CREATE, 0x38, true, 0); if (req == NULL) return NULL; @@ -309,6 +313,17 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create } /* and any custom blobs */ + for (i=0;i<io->in.blobs.num_blobs;i++) { + status = smb2_create_blob_add(req, &blobs, + io->in.blobs.blobs[i].tag, + io->in.blobs.blobs[i].data); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(req); + return NULL; + } + } + + status = smb2_create_blob_push(req, &blob, blobs); if (!NT_STATUS_IS_OK(status)) { talloc_free(req); |