diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2002-07-20 10:07:47 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2002-07-20 10:07:47 +0000 |
| commit | 17fc19fe31c949a3cf6a95460eb6b4be5a147743 (patch) | |
| tree | 9133f3731fb2f2a82765cc8e9cb4478e913ba8f6 /source3/smbd | |
| parent | badbae319a860c5590abeb7a947bacb47647c599 (diff) | |
| download | samba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.tar.gz samba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.tar.bz2 samba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.zip | |
Update the smbd reply code a little:
I don't like the idea of muliple netprots - becouse I see potential problems
with people being able to maniplate internal samba variables.
This applies in particular to remote names, so don't allow muliple session
requests either.
Also remove a pstrcpy() from the tcon code, we really don't need it.
Andrew Bartlett
(This used to be commit 2afa291404cfd8dae11120e5e470c38ba067c4b2)
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/negprot.c | 9 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 21 |
2 files changed, 25 insertions, 5 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 81c2427a00..abe44aac8c 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -412,8 +412,17 @@ int reply_negprot(connection_struct *conn, char *p; int bcc = SVAL(smb_buf(inbuf),-2); int arch = ARCH_ALL; + + static BOOL done_negprot = False; + START_PROFILE(SMBnegprot); + if (done_negprot) { + END_PROFILE(SMBnegprot); + exit_server("multiple negprot's are not permitted"); + } + done_negprot = True; + p = smb_buf(inbuf)+1; while (p < (smb_buf(inbuf) + bcc)) { Index++; diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 8f666910a5..813b9f39f8 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -57,6 +57,8 @@ int reply_special(char *inbuf,char *outbuf) int len; char name_type = 0; + static BOOL already_got_session = False; + *name1 = *name2 = 0; memset(outbuf,'\0',smb_size); @@ -65,6 +67,11 @@ int reply_special(char *inbuf,char *outbuf) switch (msg_type) { case 0x81: /* session request */ + + if (already_got_session) { + exit_server("multiple session request not permitted"); + } + SCVAL(outbuf,0,0x82); SCVAL(outbuf,3,0); if (name_len(inbuf+4) > 50 || @@ -115,6 +122,7 @@ int reply_special(char *inbuf,char *outbuf) claim_connection(NULL,"",MAXSTATUS,True); + already_got_session = True; break; case 0x89: /* session keepalive request @@ -148,7 +156,8 @@ int reply_special(char *inbuf,char *outbuf) int reply_tcon(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - pstring service; + char *service; + pstring service_buf; pstring password; pstring dev; int outsize = 0; @@ -160,17 +169,19 @@ int reply_tcon(connection_struct *conn, START_PROFILE(SMBtcon); - *service = *password = *dev = 0; + *service_buf = *password = *dev = 0; p = smb_buf(inbuf)+1; - p += srvstr_pull_buf(inbuf, service, p, sizeof(service), STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, service_buf, p, sizeof(service), STR_TERMINATE) + 1; pwlen = srvstr_pull_buf(inbuf, password, p, sizeof(password), STR_TERMINATE) + 1; p += pwlen; p += srvstr_pull_buf(inbuf, dev, p, sizeof(dev), STR_TERMINATE) + 1; - p = strrchr_m(service,'\\'); + p = strrchr_m(service_buf,'\\'); if (p) { - pstrcpy(service, p+1); + service = p+1; + } else { + service = service_buf; } password_blob = data_blob(password, pwlen+1); |