diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-08-14 09:33:01 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-08-15 14:45:21 +0200 |
commit | 7a7e9b1c76f3967cc8cdae34e5d64759305e592a (patch) | |
tree | c19d989057e5e31c550c301c262e29e73815d18e | |
parent | 84f6b0f962a9106e0c108cdcd5eb5a1599cd8097 (diff) | |
download | samba-7a7e9b1c76f3967cc8cdae34e5d64759305e592a.tar.gz samba-7a7e9b1c76f3967cc8cdae34e5d64759305e592a.tar.bz2 samba-7a7e9b1c76f3967cc8cdae34e5d64759305e592a.zip |
libcli/smb: fix parsing of compounded messages within a SMB2_TRANSFORM pdu
One SMB2_TRANSFORM pdu wraps multiple SMB2 pdus.
We inject the SMB2_TRANSFORM header to each response which was wrapped
inside. This allows the next layer to verify if the SMB2 pdu was encrypted.
metze
-rw-r--r-- | libcli/smb/smbXcli_base.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 58232ba7ea..05a97268a4 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -2953,6 +2953,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, int num_iov = 0; size_t taken = 0; uint8_t *first_hdr = buf; + size_t verified_buflen = 0; + uint8_t *tf = NULL; + size_t tf_len = 0; iov = talloc_array(mem_ctx, struct iovec, num_iov); if (iov == NULL) { @@ -2960,8 +2963,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, } while (taken < buflen) { - uint8_t *tf = NULL; - size_t tf_len = 0; size_t len = buflen - taken; uint8_t *hdr = first_hdr + taken; struct iovec *cur; @@ -2970,6 +2971,13 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, uint16_t body_size; struct iovec *iov_tmp; + if (verified_buflen > taken) { + len = verified_buflen - taken; + } else { + tf = NULL; + tf_len = 0; + } + if (len < 4) { DEBUG(10, ("%d bytes left, expected at least %d\n", (int)len, 4)); @@ -3020,6 +3028,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, TALLOC_FREE(iov); return status; } + + verified_buflen = taken + len; } /* @@ -3053,9 +3063,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, if (next_command_ofs > full_size) { goto inval; } - if (tf && next_command_ofs < len) { - goto inval; - } full_size = next_command_ofs; } if (body_size < 2) { |