diff options
-rw-r--r-- | source4/libcli/smb2/getinfo.c | 3 | ||||
-rw-r--r-- | source4/libcli/smb2/negprot.c | 3 | ||||
-rw-r--r-- | source4/libcli/smb2/read.c | 6 | ||||
-rw-r--r-- | source4/libcli/smb2/request.c | 59 | ||||
-rw-r--r-- | source4/libcli/smb2/session.c | 5 | ||||
-rw-r--r-- | source4/libcli/smb2/tcon.c | 2 | ||||
-rw-r--r-- | source4/libcli/smb2/write.c | 7 |
7 files changed, 39 insertions, 46 deletions
diff --git a/source4/libcli/smb2/getinfo.c b/source4/libcli/smb2/getinfo.c index ffc2a92daf..9ad2b77310 100644 --- a/source4/libcli/smb2/getinfo.c +++ b/source4/libcli/smb2/getinfo.c @@ -69,11 +69,10 @@ NTSTATUS smb2_getinfo_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx, SMB2_CHECK_BUFFER_CODE(req, 0x09); - status = smb2_pull_ofs_blob(req, req->in.body+0x02, &io->out.blob); + status = smb2_pull_ofs_blob(&req->in, mem_ctx, req->in.body+0x02, &io->out.blob); if (!NT_STATUS_IS_OK(status)) { return status; } - talloc_steal(mem_ctx, io->out.blob.data); return smb2_request_destroy(req); } diff --git a/source4/libcli/smb2/negprot.c b/source4/libcli/smb2/negprot.c index 758b06fcae..0dc8c8ca14 100644 --- a/source4/libcli/smb2/negprot.c +++ b/source4/libcli/smb2/negprot.c @@ -77,8 +77,7 @@ NTSTATUS smb2_negprot_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx, io->out.unknown8 = SVAL(req->in.body, 0x38); blobsize = SVAL(req->in.body, 0x3A); io->out.unknown9 = IVAL(req->in.body, 0x3C); - io->out.secblob = smb2_pull_blob(req, req->in.body+0x40, blobsize); - talloc_steal(mem_ctx, io->out.secblob.data); + io->out.secblob = smb2_pull_blob(&req->in, mem_ctx, req->in.body+0x40, blobsize); return smb2_request_destroy(req); } diff --git a/source4/libcli/smb2/read.c b/source4/libcli/smb2/read.c index 0d63a6ba0a..720d0bdbe0 100644 --- a/source4/libcli/smb2/read.c +++ b/source4/libcli/smb2/read.c @@ -73,11 +73,7 @@ NTSTATUS smb2_read_recv(struct smb2_request *req, nread = IVAL(req->in.body, 0x04); memcpy(io->out.unknown, req->in.body+0x08, 8); - if (smb2_oob_in(req, req->in.hdr+ofs, nread)) { - return NT_STATUS_BUFFER_TOO_SMALL; - } - - io->out.data = data_blob_talloc(mem_ctx, req->in.hdr+ofs, nread); + io->out.data = smb2_pull_blob(&req->in, mem_ctx, req->in.hdr+ofs, nread); if (io->out.data.data == NULL) { return NT_STATUS_NO_MEMORY; } diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c index 4e40b1884a..457b7a4531 100644 --- a/source4/libcli/smb2/request.c +++ b/source4/libcli/smb2/request.c @@ -150,60 +150,57 @@ BOOL smb2_request_is_error(struct smb2_request *req) /* check if a range in the reply body is out of bounds */ -BOOL smb2_oob_in(struct smb2_request *req, const uint8_t *ptr, uint_t size) +BOOL smb2_oob(struct smb2_request_buffer *buf, const uint8_t *ptr, uint_t size) { /* be careful with wraparound! */ - if (ptr < req->in.body || - ptr >= req->in.body + req->in.body_size || - size > req->in.body_size || - ptr + size > req->in.body + req->in.body_size) { + if (ptr < buf->body || + ptr >= buf->body + buf->body_size || + size > buf->body_size || + ptr + size > buf->body + buf->body_size) { return True; } return False; } /* - check if a range in the outgoing body is out of bounds + pull a data blob from the body of a reply */ -BOOL smb2_oob_out(struct smb2_request *req, const uint8_t *ptr, uint_t size) +DATA_BLOB smb2_pull_blob(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx, uint8_t *ptr, uint_t size) { - /* be careful with wraparound! */ - if (ptr < req->out.body || - ptr >= req->out.body + req->out.body_size || - size > req->out.body_size || - ptr + size > req->out.body + req->out.body_size) { - return True; + if (smb2_oob(buf, ptr, size)) { + return data_blob(NULL, 0); } - return False; + return data_blob_talloc(mem_ctx, ptr, size); } /* - pull a data blob from the body of a reply + push a data blob from the body of a reply */ -DATA_BLOB smb2_pull_blob(struct smb2_request *req, uint8_t *ptr, uint_t size) +NTSTATUS smb2_push_blob(struct smb2_request_buffer *buf, uint8_t *ptr, DATA_BLOB blob) { - if (smb2_oob_in(req, ptr, size)) { - return data_blob(NULL, 0); + if (smb2_oob(buf, ptr, blob.length)) { + return NT_STATUS_BUFFER_TOO_SMALL; } - return data_blob_talloc(req, ptr, size); + memcpy(ptr, blob.data, blob.length); + return NT_STATUS_OK; } /* pull a ofs/length/blob triple from a data blob the ptr points to the start of the offset/length pair */ -NTSTATUS smb2_pull_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB *blob) +NTSTATUS smb2_pull_ofs_blob(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx, uint8_t *ptr, DATA_BLOB *blob) { uint16_t ofs, size; - if (smb2_oob_in(req, ptr, 4)) { + if (smb2_oob(buf, ptr, 4)) { return NT_STATUS_BUFFER_TOO_SMALL; } ofs = SVAL(ptr, 0); size = SVAL(ptr, 2); - if (smb2_oob_in(req, req->in.hdr + ofs, size)) { + if (smb2_oob(buf, buf->hdr + ofs, size)) { return NT_STATUS_BUFFER_TOO_SMALL; } - *blob = data_blob_talloc(req, req->in.hdr+ofs, size); + *blob = data_blob_talloc(mem_ctx, buf->hdr + ofs, size); NT_STATUS_HAVE_NO_MEMORY(blob->data); return NT_STATUS_OK; } @@ -215,12 +212,12 @@ NTSTATUS smb2_pull_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB *b NOTE: assumes blob goes immediately after the offset/length pair. Needs to be generalised */ -NTSTATUS smb2_push_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB blob) +NTSTATUS smb2_push_ofs_blob(struct smb2_request_buffer *buf, uint8_t *ptr, DATA_BLOB blob) { - if (smb2_oob_out(req, ptr, 4+blob.length)) { + if (smb2_oob(buf, ptr, 4+blob.length)) { return NT_STATUS_BUFFER_TOO_SMALL; } - SSVAL(ptr, 0, 4 + (ptr - req->out.hdr)); + SSVAL(ptr, 0, 4 + (ptr - buf->hdr)); SSVAL(ptr, 2, blob.length); memcpy(ptr+4, blob.data, blob.length); return NT_STATUS_OK; @@ -229,16 +226,16 @@ NTSTATUS smb2_push_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB bl /* pull a string in a ofs/length/blob format */ -NTSTATUS smb2_pull_ofs_string(struct smb2_request *req, uint8_t *ptr, - const char **str) +NTSTATUS smb2_pull_ofs_string(struct smb2_request_buffer *buf, TALLOC_CTX *mem_ctx, + uint8_t *ptr, const char **str) { DATA_BLOB blob; NTSTATUS status; ssize_t size; void *vstr; - status = smb2_pull_ofs_blob(req, ptr, &blob); + status = smb2_pull_ofs_blob(buf, mem_ctx, ptr, &blob); NT_STATUS_NOT_OK_RETURN(status); - size = convert_string_talloc(req, CH_UTF16, CH_UNIX, + size = convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX, blob.data, blob.length, &vstr); data_blob_free(&blob); (*str) = vstr; @@ -263,7 +260,6 @@ NTSTATUS smb2_string_blob(TALLOC_CTX *mem_ctx, const char *str, DATA_BLOB *blob) return NT_STATUS_OK; } - /* put a file handle into a buffer */ @@ -272,4 +268,3 @@ void smb2_put_handle(uint8_t *data, struct smb2_handle *h) SBVAL(data, 0, h->data[0]); SBVAL(data, 8, h->data[1]); } - diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 257e754660..cb2797b9ad 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -77,7 +77,7 @@ struct smb2_request *smb2_session_setup_send(struct smb2_session *session, req->session = session; - status = smb2_push_ofs_blob(req, req->out.body+0x0C, io->in.secblob); + status = smb2_push_ofs_blob(&req->out, req->out.body+0x0C, io->in.secblob); if (!NT_STATUS_IS_OK(status)) { talloc_free(req); return NULL; @@ -112,12 +112,11 @@ NTSTATUS smb2_session_setup_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx, io->out._pad = SVAL(req->in.body, 0x02); io->out.uid = BVAL(req->in.hdr, SMB2_HDR_UID); - status = smb2_pull_ofs_blob(req, req->in.body+0x04, &io->out.secblob); + status = smb2_pull_ofs_blob(&req->in, mem_ctx, req->in.body+0x04, &io->out.secblob); if (!NT_STATUS_IS_OK(status)) { smb2_request_destroy(req); return status; } - talloc_steal(mem_ctx, io->out.secblob.data); return smb2_request_destroy(req); } diff --git a/source4/libcli/smb2/tcon.c b/source4/libcli/smb2/tcon.c index f68987acf7..5e53e11634 100644 --- a/source4/libcli/smb2/tcon.c +++ b/source4/libcli/smb2/tcon.c @@ -66,7 +66,7 @@ struct smb2_request *smb2_tree_connect_send(struct smb2_tree *tree, SBVAL(req->out.hdr, SMB2_HDR_UID, tree->session->uid); SIVAL(req->out.body, 0x00, io->in.unknown1); - status = smb2_push_ofs_blob(req, req->out.body+0x04, path); + status = smb2_push_ofs_blob(&req->out, req->out.body+0x04, path); data_blob_free(&path); if (!NT_STATUS_IS_OK(status)) { talloc_free(req); diff --git a/source4/libcli/smb2/write.c b/source4/libcli/smb2/write.c index e458a540e8..a8e644f2d1 100644 --- a/source4/libcli/smb2/write.c +++ b/source4/libcli/smb2/write.c @@ -30,6 +30,7 @@ */ struct smb2_request *smb2_write_send(struct smb2_tree *tree, struct smb2_write *io) { + NTSTATUS status; struct smb2_request *req; req = smb2_request_init_tree(tree, SMB2_OP_WRITE, io->in.data.length + 0x30); @@ -41,7 +42,11 @@ struct smb2_request *smb2_write_send(struct smb2_tree *tree, struct smb2_write * SBVAL(req->out.body, 0x08, io->in.offset); smb2_put_handle(req->out.body+0x10, &io->in.handle); memcpy(req->out.body+0x20, io->in._pad, 0x10); - memcpy(req->out.body+0x30, io->in.data.data, io->in.data.length); + + status = smb2_push_blob(&req->out, req->out.body+0x30, io->in.data); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } smb2_transport_send(req); |