diff options
-rw-r--r-- | source3/include/safe_string.h | 2 | ||||
-rw-r--r-- | source3/nmbd/nmbd_packets.c | 15 |
2 files changed, 12 insertions, 5 deletions
diff --git a/source3/include/safe_string.h b/source3/include/safe_string.h index 3bd38ea74e..65ec05a5c6 100644 --- a/source3/include/safe_string.h +++ b/source3/include/safe_string.h @@ -110,6 +110,8 @@ size_t __unsafe_string_function_usage_here_char__(void); #define pstrcpy_base(dest, src, pstring_base) \ safe_strcpy(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1) +#define safe_strcpy_base(dest, src, base, size) \ + safe_strcpy(dest, src, size-PTR_DIFF(dest,base)-1) /* String copy functions - macro hell below adds 'type checking' (limited, but the best we can do in C) and may tag with function name/number to record the last 'clobber region' on diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index d83cd10d0c..6c3446d6c8 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1929,7 +1929,7 @@ BOOL listen_for_packets(BOOL run_election) /**************************************************************************** Construct and send a netbios DGRAM. **************************************************************************/ -BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len, +BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len, const char *srcname, int src_type, const char *dstname, int dest_type, struct in_addr dest_ip,struct in_addr src_ip, @@ -1979,11 +1979,16 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len, SSVAL(ptr,smb_vwv15,1); SSVAL(ptr,smb_vwv16,2); p2 = smb_buf(ptr); - pstrcpy(p2,mailslot); + safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data)); p2 = skip_string(p2,1); - - memcpy(p2,buf,len); - p2 += len; + + if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) { + DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n")); + return False; + } else { + memcpy(p2,buf,len); + p2 += len; + } dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */ |