summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2002-07-31 10:47:26 +0000
committerAndrew Tridgell <tridge@samba.org>2002-07-31 10:47:26 +0000
commitf5a85fe24759b076ffd39583b0db24aa92693100 (patch)
treea826f5b7d72d9a01657da7b379cd1d5ed3bf1ced
parent6be547fc6b1982a32aff0e2e58e6d1b4524e2598 (diff)
downloadsamba-f5a85fe24759b076ffd39583b0db24aa92693100.tar.gz
samba-f5a85fe24759b076ffd39583b0db24aa92693100.tar.bz2
samba-f5a85fe24759b076ffd39583b0db24aa92693100.zip
fixed the length checking for plaintext passwords (thanks to andrewb
for spotting this) (This used to be commit d4c905e5a0a67c8e01a4fcf78aa992a3b7beff02)
-rw-r--r--source3/smbd/sesssetup.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 9d05e3f98a..71ca7dda52 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -634,6 +634,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
return ERROR_DOS(ERRDOS,ERRbuftoosmall);
}
+ if (passlen1 > smb_buflen(inbuf)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
if (doencrypt) {
lm_resp = data_blob(smb_buf(inbuf), passlen1);
} else {
@@ -694,14 +698,19 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
doencrypt = False;
}
+
+ /* check for nasty tricks */
+ if (passlen1 > smb_buflen(inbuf) || passlen2 > smb_buflen(inbuf)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
if (doencrypt) {
lm_resp = data_blob(p, passlen1);
nt_resp = data_blob(p+passlen1, passlen2);
} else {
pstring pass;
- srvstr_pull_buf(inbuf, pass, smb_buf(inbuf),
- sizeof(pass), STR_TERMINATE);
+ srvstr_pull(inbuf, pass, smb_buf(inbuf),
+ sizeof(pass), passlen1, STR_TERMINATE);
plaintext_password = data_blob(pass, strlen(pass));
}