summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/safe_string.h2
-rw-r--r--source3/nmbd/nmbd_packets.c15
2 files changed, 12 insertions, 5 deletions
diff --git a/source3/include/safe_string.h b/source3/include/safe_string.h
index 3bd38ea74e..65ec05a5c6 100644
--- a/source3/include/safe_string.h
+++ b/source3/include/safe_string.h
@@ -110,6 +110,8 @@ size_t __unsafe_string_function_usage_here_char__(void);
#define pstrcpy_base(dest, src, pstring_base) \
safe_strcpy(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1)
+#define safe_strcpy_base(dest, src, base, size) \
+ safe_strcpy(dest, src, size-PTR_DIFF(dest,base)-1)
/* String copy functions - macro hell below adds 'type checking' (limited, but the best we can
do in C) and may tag with function name/number to record the last 'clobber region' on
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index d83cd10d0c..6c3446d6c8 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1929,7 +1929,7 @@ BOOL listen_for_packets(BOOL run_election)
/****************************************************************************
Construct and send a netbios DGRAM.
**************************************************************************/
-BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len,
+BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
const char *srcname, int src_type,
const char *dstname, int dest_type,
struct in_addr dest_ip,struct in_addr src_ip,
@@ -1979,11 +1979,16 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len,
SSVAL(ptr,smb_vwv15,1);
SSVAL(ptr,smb_vwv16,2);
p2 = smb_buf(ptr);
- pstrcpy(p2,mailslot);
+ safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
p2 = skip_string(p2,1);
-
- memcpy(p2,buf,len);
- p2 += len;
+
+ if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
+ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ } else {
+ memcpy(p2,buf,len);
+ p2 += len;
+ }
dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */