summaryrefslogtreecommitdiff
path: root/source4/winbind
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-07-26 10:51:31 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-09-08 15:09:54 +0200
commit5196d265f75560703824c6eebbd9cc25936b5d3a (patch)
tree9594bc69df9c94feae4b5953d10eb21d531d30d1 /source4/winbind
parent5e1e33114c3aa62221ac1bf82eaaf2b3a2ac1efa (diff)
downloadsamba-5196d265f75560703824c6eebbd9cc25936b5d3a.tar.gz
samba-5196d265f75560703824c6eebbd9cc25936b5d3a.tar.bz2
samba-5196d265f75560703824c6eebbd9cc25936b5d3a.zip
s4-winbindd: fixed handling of extra_data in s3 requests
extra_data in s3 winbind requests is appended to the end of the request, but does not change the length header of the packet. Instead you need to get it from the extra_len element of the request structure. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/winbind')
-rw-r--r--source4/winbind/wb_samba3_protocol.c38
1 files changed, 37 insertions, 1 deletions
diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c
index f0f803dac5..6c89f34063 100644
--- a/source4/winbind/wb_samba3_protocol.c
+++ b/source4/winbind/wb_samba3_protocol.c
@@ -32,6 +32,8 @@
NTSTATUS wbsrv_samba3_packet_full_request(void *private_data, DATA_BLOB blob, size_t *size)
{
uint32_t *len;
+ struct winbindd_request *req;
+
if (blob.length < 4) {
return STATUS_MORE_ENTRIES;
}
@@ -40,13 +42,28 @@ NTSTATUS wbsrv_samba3_packet_full_request(void *private_data, DATA_BLOB blob, si
if (*size > blob.length) {
return STATUS_MORE_ENTRIES;
}
+ if (*size < sizeof(req)) {
+ /* its not a valid winbind packet. We need to accept
+ it here, and wbsrv_samba3_pull_request() will throw
+ it away */
+ return NT_STATUS_OK;
+ }
+
+ /* now we need to cope with possible extra_data, which is
+ stuck on the end with no length prefix! This is a very very
+ stupid protocol */
+ req = (struct winbindd_request *)blob.data;
+ *size = (*len) + req->extra_len;
+ if (*size > blob.length) {
+ return STATUS_MORE_ENTRIES;
+ }
return NT_STATUS_OK;
}
NTSTATUS wbsrv_samba3_pull_request(struct wbsrv_samba3_call *call)
{
- if (call->in.length != sizeof(*call->request)) {
+ if (call->in.length < sizeof(*call->request)) {
DEBUG(0,("wbsrv_samba3_pull_request: invalid blob length %lu should be %lu\n"
" make sure you use the correct winbind client tools!\n",
(long)call->in.length, (long)sizeof(*call->request)));
@@ -59,6 +76,25 @@ NTSTATUS wbsrv_samba3_pull_request(struct wbsrv_samba3_call *call)
/* the packet layout is the same as the in memory layout of the request, so just copy it */
memcpy(call->request, call->in.data, sizeof(*call->request));
+ if (call->in.length != sizeof(*call->request) + call->request->extra_len) {
+ DEBUG(0,(__location__ " : invalid extra_len %u should be %u\n",
+ call->request->extra_len, (unsigned)(call->in.length - sizeof(*call->request))));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* there may be extra data */
+ if (call->request->extra_len != 0) {
+ call->request->extra_data.data = talloc_size(call->request, call->request->extra_len+1);
+ NT_STATUS_HAVE_NO_MEMORY(call->request->extra_data.data);
+ /* guarantee a nul termination, as many of the uses of
+ this field is for strings */
+ memcpy(call->request->extra_data.data, call->in.data + sizeof(*call->request),
+ call->request->extra_len);
+ call->request->extra_data.data[call->request->extra_len] = 0;
+ } else {
+ call->request->extra_data.data = NULL;
+ }
+
return NT_STATUS_OK;
}