summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/smb2/getinfo.c3
-rw-r--r--source4/libcli/smb2/negprot.c3
-rw-r--r--source4/libcli/smb2/read.c6
-rw-r--r--source4/libcli/smb2/request.c59
-rw-r--r--source4/libcli/smb2/session.c5
-rw-r--r--source4/libcli/smb2/tcon.c2
-rw-r--r--source4/libcli/smb2/write.c7
7 files changed, 39 insertions, 46 deletions
diff --git a/source4/libcli/smb2/getinfo.c b/source4/libcli/smb2/getinfo.c
index ffc2a92daf..9ad2b77310 100644
--- a/source4/libcli/smb2/getinfo.c
+++ b/source4/libcli/smb2/getinfo.c
@@ -69,11 +69,10 @@ NTSTATUS smb2_getinfo_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx,
SMB2_CHECK_BUFFER_CODE(req, 0x09);
- status = smb2_pull_ofs_blob(req, req->in.body+0x02, &io->out.blob);
+ status = smb2_pull_ofs_blob(&req->in, mem_ctx, req->in.body+0x02, &io->out.blob);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- talloc_steal(mem_ctx, io->out.blob.data);
return smb2_request_destroy(req);
}
diff --git a/source4/libcli/smb2/negprot.c b/source4/libcli/smb2/negprot.c
index 758b06fcae..0dc8c8ca14 100644
--- a/source4/libcli/smb2/negprot.c
+++ b/source4/libcli/smb2/negprot.c
@@ -77,8 +77,7 @@ NTSTATUS smb2_negprot_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx,
io->out.unknown8 = SVAL(req->in.body, 0x38);
blobsize = SVAL(req->in.body, 0x3A);
io->out.unknown9 = IVAL(req->in.body, 0x3C);
- io->out.secblob = smb2_pull_blob(req, req->in.body+0x40, blobsize);
- talloc_steal(mem_ctx, io->out.secblob.data);
+ io->out.secblob = smb2_pull_blob(&req->in, mem_ctx, req->in.body+0x40, blobsize);
return smb2_request_destroy(req);
}
diff --git a/source4/libcli/smb2/read.c b/source4/libcli/smb2/read.c
index 0d63a6ba0a..720d0bdbe0 100644
--- a/source4/libcli/smb2/read.c
+++ b/source4/libcli/smb2/read.c
@@ -73,11 +73,7 @@ NTSTATUS smb2_read_recv(struct smb2_request *req,
nread = IVAL(req->in.body, 0x04);
memcpy(io->out.unknown, req->in.body+0x08, 8);
- if (smb2_oob_in(req, req->in.hdr+ofs, nread)) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- io->out.data = data_blob_talloc(mem_ctx, req->in.hdr+ofs, nread);
+ io->out.data = smb2_pull_blob(&req->in, mem_ctx, req->in.hdr+ofs, nread);
if (io->out.data.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c
index 4e40b1884a..457b7a4531 100644
--- a/source4/libcli/smb2/request.c
+++ b/source4/libcli/smb2/request.c
@@ -150,60 +150,57 @@ BOOL smb2_request_is_error(struct smb2_request *req)
/*
check if a range in the reply body is out of bounds
*/
-BOOL smb2_oob_in(struct smb2_request *req, const uint8_t *ptr, uint_t size)
+BOOL smb2_oob(struct smb2_request_buffer *buf, const uint8_t *ptr, uint_t size)
{
/* be careful with wraparound! */
- if (ptr < req->in.body ||
- ptr >= req->in.body + req->in.body_size ||
- size > req->in.body_size ||
- ptr + size > req->in.body + req->in.body_size) {
+ if (ptr < buf->body ||
+ ptr >= buf->body + buf->body_size ||
+ size > buf->body_size ||
+ ptr + size > buf->body + buf->body_size) {
return True;
}
return False;
}
/*
- check if a range in the outgoing body is out of bounds
+ pull a data blob from the body of a reply
*/
-BOOL smb2_oob_out(struct smb2_request *req, const uint8_t *ptr, uint_t size)
+DATA_BLOB smb2_pull_blob(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx, uint8_t *ptr, uint_t size)
{
- /* be careful with wraparound! */
- if (ptr < req->out.body ||
- ptr >= req->out.body + req->out.body_size ||
- size > req->out.body_size ||
- ptr + size > req->out.body + req->out.body_size) {
- return True;
+ if (smb2_oob(buf, ptr, size)) {
+ return data_blob(NULL, 0);
}
- return False;
+ return data_blob_talloc(mem_ctx, ptr, size);
}
/*
- pull a data blob from the body of a reply
+ push a data blob from the body of a reply
*/
-DATA_BLOB smb2_pull_blob(struct smb2_request *req, uint8_t *ptr, uint_t size)
+NTSTATUS smb2_push_blob(struct smb2_request_buffer *buf, uint8_t *ptr, DATA_BLOB blob)
{
- if (smb2_oob_in(req, ptr, size)) {
- return data_blob(NULL, 0);
+ if (smb2_oob(buf, ptr, blob.length)) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
- return data_blob_talloc(req, ptr, size);
+ memcpy(ptr, blob.data, blob.length);
+ return NT_STATUS_OK;
}
/*
pull a ofs/length/blob triple from a data blob
the ptr points to the start of the offset/length pair
*/
-NTSTATUS smb2_pull_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB *blob)
+NTSTATUS smb2_pull_ofs_blob(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx, uint8_t *ptr, DATA_BLOB *blob)
{
uint16_t ofs, size;
- if (smb2_oob_in(req, ptr, 4)) {
+ if (smb2_oob(buf, ptr, 4)) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
ofs = SVAL(ptr, 0);
size = SVAL(ptr, 2);
- if (smb2_oob_in(req, req->in.hdr + ofs, size)) {
+ if (smb2_oob(buf, buf->hdr + ofs, size)) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- *blob = data_blob_talloc(req, req->in.hdr+ofs, size);
+ *blob = data_blob_talloc(mem_ctx, buf->hdr + ofs, size);
NT_STATUS_HAVE_NO_MEMORY(blob->data);
return NT_STATUS_OK;
}
@@ -215,12 +212,12 @@ NTSTATUS smb2_pull_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB *b
NOTE: assumes blob goes immediately after the offset/length pair. Needs
to be generalised
*/
-NTSTATUS smb2_push_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB blob)
+NTSTATUS smb2_push_ofs_blob(struct smb2_request_buffer *buf, uint8_t *ptr, DATA_BLOB blob)
{
- if (smb2_oob_out(req, ptr, 4+blob.length)) {
+ if (smb2_oob(buf, ptr, 4+blob.length)) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- SSVAL(ptr, 0, 4 + (ptr - req->out.hdr));
+ SSVAL(ptr, 0, 4 + (ptr - buf->hdr));
SSVAL(ptr, 2, blob.length);
memcpy(ptr+4, blob.data, blob.length);
return NT_STATUS_OK;
@@ -229,16 +226,16 @@ NTSTATUS smb2_push_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB bl
/*
pull a string in a ofs/length/blob format
*/
-NTSTATUS smb2_pull_ofs_string(struct smb2_request *req, uint8_t *ptr,
- const char **str)
+NTSTATUS smb2_pull_ofs_string(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx,
+ uint8_t *ptr, const char **str)
{
DATA_BLOB blob;
NTSTATUS status;
ssize_t size;
void *vstr;
- status = smb2_pull_ofs_blob(req, ptr, &blob);
+ status = smb2_pull_ofs_blob(buf, mem_ctx, ptr, &blob);
NT_STATUS_NOT_OK_RETURN(status);
- size = convert_string_talloc(req, CH_UTF16, CH_UNIX,
+ size = convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX,
blob.data, blob.length, &vstr);
data_blob_free(&blob);
(*str) = vstr;
@@ -263,7 +260,6 @@ NTSTATUS smb2_string_blob(TALLOC_CTX *mem_ctx, const char *str, DATA_BLOB *blob)
return NT_STATUS_OK;
}
-
/*
put a file handle into a buffer
*/
@@ -272,4 +268,3 @@ void smb2_put_handle(uint8_t *data, struct smb2_handle *h)
SBVAL(data, 0, h->data[0]);
SBVAL(data, 8, h->data[1]);
}
-
diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c
index 257e754660..cb2797b9ad 100644
--- a/source4/libcli/smb2/session.c
+++ b/source4/libcli/smb2/session.c
@@ -77,7 +77,7 @@ struct smb2_request *smb2_session_setup_send(struct smb2_session *session,
req->session = session;
- status = smb2_push_ofs_blob(req, req->out.body+0x0C, io->in.secblob);
+ status = smb2_push_ofs_blob(&req->out, req->out.body+0x0C, io->in.secblob);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(req);
return NULL;
@@ -112,12 +112,11 @@ NTSTATUS smb2_session_setup_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx,
io->out._pad = SVAL(req->in.body, 0x02);
io->out.uid = BVAL(req->in.hdr, SMB2_HDR_UID);
- status = smb2_pull_ofs_blob(req, req->in.body+0x04, &io->out.secblob);
+ status = smb2_pull_ofs_blob(&req->in, mem_ctx, req->in.body+0x04, &io->out.secblob);
if (!NT_STATUS_IS_OK(status)) {
smb2_request_destroy(req);
return status;
}
- talloc_steal(mem_ctx, io->out.secblob.data);
return smb2_request_destroy(req);
}
diff --git a/source4/libcli/smb2/tcon.c b/source4/libcli/smb2/tcon.c
index f68987acf7..5e53e11634 100644
--- a/source4/libcli/smb2/tcon.c
+++ b/source4/libcli/smb2/tcon.c
@@ -66,7 +66,7 @@ struct smb2_request *smb2_tree_connect_send(struct smb2_tree *tree,
SBVAL(req->out.hdr, SMB2_HDR_UID, tree->session->uid);
SIVAL(req->out.body, 0x00, io->in.unknown1);
- status = smb2_push_ofs_blob(req, req->out.body+0x04, path);
+ status = smb2_push_ofs_blob(&req->out, req->out.body+0x04, path);
data_blob_free(&path);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(req);
diff --git a/source4/libcli/smb2/write.c b/source4/libcli/smb2/write.c
index e458a540e8..a8e644f2d1 100644
--- a/source4/libcli/smb2/write.c
+++ b/source4/libcli/smb2/write.c
@@ -30,6 +30,7 @@
*/
struct smb2_request *smb2_write_send(struct smb2_tree *tree, struct smb2_write *io)
{
+ NTSTATUS status;
struct smb2_request *req;
req = smb2_request_init_tree(tree, SMB2_OP_WRITE, io->in.data.length + 0x30);
@@ -41,7 +42,11 @@ struct smb2_request *smb2_write_send(struct smb2_tree *tree, struct smb2_write *
SBVAL(req->out.body, 0x08, io->in.offset);
smb2_put_handle(req->out.body+0x10, &io->in.handle);
memcpy(req->out.body+0x20, io->in._pad, 0x10);
- memcpy(req->out.body+0x30, io->in.data.data, io->in.data.length);
+
+ status = smb2_push_blob(&req->out, req->out.body+0x30, io->in.data);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
smb2_transport_send(req);