summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-07-23 14:36:54 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:28:55 -0500
commit3a836c3ee44e9abc5b5028bf6286628981bf0f99 (patch)
tree8a67fdac56ce1d8b4f0c00859b2c5950117887df /source3/smbd
parent16d13dcc741a33aefe922d9f0b825fe91ee75e9e (diff)
downloadsamba-3a836c3ee44e9abc5b5028bf6286628981bf0f99.tar.gz
samba-3a836c3ee44e9abc5b5028bf6286628981bf0f99.tar.bz2
samba-3a836c3ee44e9abc5b5028bf6286628981bf0f99.zip
r24006: Some more paranoia in reply_negprot
Some hosts see the smb_bufrem(req->inbuf, p) as an unsigned int. And as the p += strlen(p) + 2 went one beyond the buffer, this was a very large positive. Also take the chance to add one more consistency check. (This used to be commit 3673707f9f1a3ba29966ac7cf744e2b6462c8dde)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/negprot.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 61be2e8f9a..7602490c2d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -533,7 +533,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
return;
}
- p = smb_buf(req->inbuf)+1;
+ p = smb_buf(req->inbuf);
num_cliprotos = 0;
cliprotos = NULL;
@@ -541,6 +541,16 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
while (smb_bufrem(req->inbuf, p) > 0) {
char **tmp;
+ if (p[0] != 0x02) {
+ DEBUG(3, ("Invalid string specifier %x, expected "
+ "0x02\n", (int)p[0]));
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBnegprot);
+ return;
+ }
+
+ p += 1; /* Skip the "0x02" */
+
tmp = TALLOC_REALLOC_ARRAY(tmp_talloc_ctx(), cliprotos, char *,
num_cliprotos+1);
if (tmp == NULL) {
@@ -566,7 +576,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
cliprotos[num_cliprotos]));
num_cliprotos += 1;
- p += strlen(p) + 2;
+ p += strlen(p) + 1;
}
for (i=0; i<num_cliprotos; i++) {