summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-07-20 10:07:47 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-07-20 10:07:47 +0000
commit17fc19fe31c949a3cf6a95460eb6b4be5a147743 (patch)
tree9133f3731fb2f2a82765cc8e9cb4478e913ba8f6 /source3/smbd
parentbadbae319a860c5590abeb7a947bacb47647c599 (diff)
downloadsamba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.tar.gz
samba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.tar.bz2
samba-17fc19fe31c949a3cf6a95460eb6b4be5a147743.zip
Update the smbd reply code a little:
I don't like the idea of muliple netprots - becouse I see potential problems with people being able to maniplate internal samba variables. This applies in particular to remote names, so don't allow muliple session requests either. Also remove a pstrcpy() from the tcon code, we really don't need it. Andrew Bartlett (This used to be commit 2afa291404cfd8dae11120e5e470c38ba067c4b2)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/negprot.c9
-rw-r--r--source3/smbd/reply.c21
2 files changed, 25 insertions, 5 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 81c2427a00..abe44aac8c 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -412,8 +412,17 @@ int reply_negprot(connection_struct *conn,
char *p;
int bcc = SVAL(smb_buf(inbuf),-2);
int arch = ARCH_ALL;
+
+ static BOOL done_negprot = False;
+
START_PROFILE(SMBnegprot);
+ if (done_negprot) {
+ END_PROFILE(SMBnegprot);
+ exit_server("multiple negprot's are not permitted");
+ }
+ done_negprot = True;
+
p = smb_buf(inbuf)+1;
while (p < (smb_buf(inbuf) + bcc)) {
Index++;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 8f666910a5..813b9f39f8 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -57,6 +57,8 @@ int reply_special(char *inbuf,char *outbuf)
int len;
char name_type = 0;
+ static BOOL already_got_session = False;
+
*name1 = *name2 = 0;
memset(outbuf,'\0',smb_size);
@@ -65,6 +67,11 @@ int reply_special(char *inbuf,char *outbuf)
switch (msg_type) {
case 0x81: /* session request */
+
+ if (already_got_session) {
+ exit_server("multiple session request not permitted");
+ }
+
SCVAL(outbuf,0,0x82);
SCVAL(outbuf,3,0);
if (name_len(inbuf+4) > 50 ||
@@ -115,6 +122,7 @@ int reply_special(char *inbuf,char *outbuf)
claim_connection(NULL,"",MAXSTATUS,True);
+ already_got_session = True;
break;
case 0x89: /* session keepalive request
@@ -148,7 +156,8 @@ int reply_special(char *inbuf,char *outbuf)
int reply_tcon(connection_struct *conn,
char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
{
- pstring service;
+ char *service;
+ pstring service_buf;
pstring password;
pstring dev;
int outsize = 0;
@@ -160,17 +169,19 @@ int reply_tcon(connection_struct *conn,
START_PROFILE(SMBtcon);
- *service = *password = *dev = 0;
+ *service_buf = *password = *dev = 0;
p = smb_buf(inbuf)+1;
- p += srvstr_pull_buf(inbuf, service, p, sizeof(service), STR_TERMINATE) + 1;
+ p += srvstr_pull_buf(inbuf, service_buf, p, sizeof(service), STR_TERMINATE) + 1;
pwlen = srvstr_pull_buf(inbuf, password, p, sizeof(password), STR_TERMINATE) + 1;
p += pwlen;
p += srvstr_pull_buf(inbuf, dev, p, sizeof(dev), STR_TERMINATE) + 1;
- p = strrchr_m(service,'\\');
+ p = strrchr_m(service_buf,'\\');
if (p) {
- pstrcpy(service, p+1);
+ service = p+1;
+ } else {
+ service = service_buf;
}
password_blob = data_blob(password, pwlen+1);