diff options
author | Jeremy Allison <jra@samba.org> | 2010-09-26 02:59:32 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-09-26 03:01:03 -0700 |
commit | 03841f9e44950811907ea83e8caedac2a80bce06 (patch) | |
tree | 39d6d5112f636b8640d5af3622fefdd376058e15 /source3/libsmb/cliconnect.c | |
parent | 80f8419ef25baa7b2f6d78469084a2ee80296fa1 (diff) | |
download | samba-03841f9e44950811907ea83e8caedac2a80bce06.tar.gz samba-03841f9e44950811907ea83e8caedac2a80bce06.tar.bz2 samba-03841f9e44950811907ea83e8caedac2a80bce06.zip |
Fix bug #7698 - Assert causes smbd to panic on invalid NetBIOS session request.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.
Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.
Jeremy.
Diffstat (limited to 'source3/libsmb/cliconnect.c')
-rw-r--r-- | source3/libsmb/cliconnect.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f76f17c1bd..1e11e158f7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2230,6 +2230,7 @@ bool cli_session_request(struct cli_state *cli, { char *p; int len = 4; + int namelen = 0; char *tmp; /* 445 doesn't have session request */ @@ -2248,8 +2249,11 @@ bool cli_session_request(struct cli_state *cli, } p = cli->outbuf+len; - memcpy(p, tmp, name_len(tmp)); - len += name_len(tmp); + namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp)); + if (namelen > 0) { + memcpy(p, tmp, namelen); + len += namelen; + } TALLOC_FREE(tmp); /* and my name */ @@ -2261,8 +2265,11 @@ bool cli_session_request(struct cli_state *cli, } p = cli->outbuf+len; - memcpy(p, tmp, name_len(tmp)); - len += name_len(tmp); + namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp)); + if (namelen > 0) { + memcpy(p, tmp, namelen); + len += namelen; + } TALLOC_FREE(tmp); /* send a session request (RFC 1002) */ |