diff options
Diffstat (limited to 'source3/rpc_parse')
-rw-r--r-- | source3/rpc_parse/parse_misc.c | 92 | ||||
-rw-r--r-- | source3/rpc_parse/parse_prs.c | 57 |
2 files changed, 71 insertions, 78 deletions
diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c index 0ebc16581b..b53f9ec98c 100644 --- a/source3/rpc_parse/parse_misc.c +++ b/source3/rpc_parse/parse_misc.c @@ -553,7 +553,6 @@ void init_unistr(UNISTR *str, const char *buf) } len = strlen(buf) + 1; - len = MAX(len,MAX_UNISTRLEN); str->buffer = TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, len); if (str->buffer == NULL) @@ -585,14 +584,12 @@ BOOL smb_io_unistr(const char *desc, UNISTR *uni, prs_struct *ps, int depth) Allocate the BUFFER3 memory. ********************************************************************/ -static void create_buffer3(BUFFER3 *str, size_t len) +static size_t create_buffer3(BUFFER3 *str, size_t len) { - len = MAX(len,MAX_BUFFERLEN); - str->buffer = TALLOC_ZERO(get_talloc_ctx(), len); if (str->buffer == NULL) smb_panic("create_buffer3: talloc fail\n"); - + return len; } /******************************************************************* @@ -604,10 +601,7 @@ void init_buffer3_uint32(BUFFER3 *str, uint32 val) ZERO_STRUCTP(str); /* set up string lengths. */ - str->buf_max_len = sizeof(uint32); - str->buf_len = sizeof(uint32); - - create_buffer3(str, sizeof(uint32)); + str->buf_max_len = str->buf_len = create_buffer3(str, sizeof(uint32)); SIVAL(str->buffer, 0, val); } @@ -620,11 +614,7 @@ void init_buffer3_str(BUFFER3 *str, const char *buf, int len) ZERO_STRUCTP(str); /* set up string lengths. */ - str->buf_max_len = len * 2; - str->buf_len = len * 2; - - create_buffer3(str, str->buf_max_len); - + str->buf_max_len = str->buf_len = create_buffer3(str, len*2); rpcstr_push(str->buffer, buf, str->buf_max_len, STR_TERMINATE); } @@ -636,24 +626,24 @@ void init_buffer3_str(BUFFER3 *str, const char *buf, int len) void init_buffer3_hex(BUFFER3 *str, const char *buf) { ZERO_STRUCTP(str); - create_buffer3(str, strlen(buf)); - str->buf_max_len = str->buf_len = strhex_to_str((char *)str->buffer, sizeof(str->buffer), buf); + str->buf_max_len = str->buf_len = create_buffer3(str, strlen(buf)); + str->buf_max_len = str->buf_len = strhex_to_str((char *)str->buffer, str->buf_len, buf); } /******************************************************************* Inits a BUFFER3 structure. ********************************************************************/ -void init_buffer3_bytes(BUFFER3 *str, uint8 *buf, int len) +void init_buffer3_bytes(BUFFER3 *str, uint8 *buf, size_t len) { ZERO_STRUCTP(str); /* max buffer size (allocated size) */ - str->buf_max_len = len; if (buf != NULL) { - create_buffer3(str, len); + len = create_buffer3(str, len); memcpy(str->buffer, buf, len); } + str->buf_max_len = len; str->buf_len = buf != NULL ? len : 0; } @@ -730,11 +720,11 @@ void init_buffer2(BUFFER2 *str, const uint8 *buf, size_t len) str->buf_len = buf != NULL ? len : 0; if (buf != NULL) { - len = MAX(len,MAX_BUFFERLEN); - str->buffer = TALLOC_ZERO(get_talloc_ctx(), len); + SMB_ASSERT(str->buf_max_len >= str->buf_len); + str->buffer = TALLOC_ZERO(get_talloc_ctx(), str->buf_max_len); if (str->buffer == NULL) smb_panic("init_buffer2: talloc fail\n"); - memcpy(str->buffer, buf, MIN(str->buf_len, len)); + memcpy(str->buffer, buf, str->buf_len); } } @@ -802,19 +792,22 @@ void init_buf_unistr2(UNISTR2 *str, uint32 *ptr, const char *buf) void copy_unistr2(UNISTR2 *str, const UNISTR2 *from) { + if (from->buffer == NULL) { + ZERO_STRUCTP(str); + return; + } + + SMB_ASSERT(from->uni_max_len >= from->uni_str_len); + str->uni_max_len = from->uni_max_len; str->offset = from->offset; str->uni_str_len = from->uni_str_len; - if (from->buffer == NULL) - return; - /* the string buffer is allocated to the maximum size (the the length of the source string) to prevent reallocation of memory. */ if (str->buffer == NULL) { - size_t alloc_len = MAX(from->uni_max_len,MAX_UNISTRLEN); - str->buffer = (uint16 *)TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, alloc_len); + str->buffer = (uint16 *)TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, str->uni_max_len); if ((str->buffer == NULL)) { smb_panic("copy_unistr2: talloc fail\n"); return; @@ -822,24 +815,25 @@ void copy_unistr2(UNISTR2 *str, const UNISTR2 *from) } /* copy the string */ - memcpy(str->buffer, from->buffer, from->uni_max_len*sizeof(uint16)); + memcpy(str->buffer, from->buffer, str->uni_max_len*sizeof(uint16)); } /******************************************************************* Creates a STRING2 structure. ********************************************************************/ -void init_string2(STRING2 *str, const char *buf, int max_len, int str_len) +void init_string2(STRING2 *str, const char *buf, size_t max_len, size_t str_len) { /* set up string lengths. */ + SMB_ASSERT(max_len >= str_len); + str->str_max_len = max_len; str->offset = 0; str->str_str_len = str_len; /* store the string */ if(str_len != 0) { - int alloc_len = MAX(str_len, MAX_STRINGLEN); - str->buffer = TALLOC_ZERO(get_talloc_ctx(), alloc_len); + str->buffer = TALLOC_ZERO(get_talloc_ctx(), str->str_max_len); if (str->buffer == NULL) smb_panic("init_string2: malloc fail\n"); memcpy(str->buffer, buf, str_len); @@ -903,8 +897,6 @@ void init_unistr2(UNISTR2 *str, const char *buf, enum unistr2_term_codes flags) len = strlen(buf) + 1; } - len = MAX(len,MAX_UNISTRLEN); - str->buffer = TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, len); if (str->buffer == NULL) { smb_panic("init_unistr2: malloc fail\n"); @@ -943,7 +935,6 @@ void init_unistr2(UNISTR2 *str, const char *buf, enum unistr2_term_codes flags) void init_unistr2_w(TALLOC_CTX *ctx, UNISTR2 *str, const smb_ucs2_t *buf) { uint32 len = strlen_w(buf); - uint32 alloc_len; ZERO_STRUCTP(str); @@ -952,9 +943,7 @@ void init_unistr2_w(TALLOC_CTX *ctx, UNISTR2 *str, const smb_ucs2_t *buf) str->offset = 0; str->uni_str_len = len; - alloc_len = MAX((len + 1), MAX_UNISTRLEN); - - str->buffer = TALLOC_ZERO_ARRAY(ctx, uint16, alloc_len); + str->buffer = TALLOC_ZERO_ARRAY(ctx, uint16, len + 1); if (str->buffer == NULL) { smb_panic("init_unistr2_w: malloc fail\n"); return; @@ -1667,25 +1656,19 @@ BOOL smb_io_pol_hnd(const char *desc, POLICY_HND *pol, prs_struct *ps, int depth void init_unistr3(UNISTR3 *str, const char *buf) { - size_t len, alloc_len; - if (buf == NULL) { str->uni_str_len=0; str->str.buffer = NULL; return; } - len = strlen(buf) + 1; + str->uni_str_len = strlen(buf) + 1; - str->uni_str_len=len; - - alloc_len = MAX(len, MAX_UNISTRLEN); - - str->str.buffer = TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, alloc_len); + str->str.buffer = TALLOC_ZERO_ARRAY(get_talloc_ctx(), uint16, str->uni_str_len); if (str->str.buffer == NULL) smb_panic("init_unistr3: malloc fail\n"); - rpcstr_push((char *)str->str.buffer, buf, len * sizeof(uint16), STR_TERMINATE); + rpcstr_push((char *)str->str.buffer, buf, str->uni_str_len * sizeof(uint16), STR_TERMINATE); } /******************************************************************* @@ -1750,8 +1733,8 @@ BOOL smb_io_bufhdr4(const char *desc, BUFHDR4 *hdr, prs_struct *ps, int depth) depth++; prs_align(ps); - prs_uint32("size", ps, depth, &(hdr->size)); - prs_uint32("buffer", ps, depth, &(hdr->buffer)); + prs_uint32("size", ps, depth, &hdr->size); + prs_uint32("buffer", ps, depth, &hdr->buffer); return True; } @@ -1759,19 +1742,20 @@ BOOL smb_io_bufhdr4(const char *desc, BUFHDR4 *hdr, prs_struct *ps, int depth) /******************************************************************* reads or writes a BUFFER4 structure. ********************************************************************/ + BOOL smb_io_buffer4(const char *desc, BUFFER4 *buf4, uint32 buffer, prs_struct *ps, int depth) { prs_debug(ps, depth, desc, "smb_io_buffer4"); depth++; prs_align(ps); - prs_uint32("buf_len", ps, depth, &(buf4->buf_len)); - - if (buf4->buf_len > MAX_BUFFERLEN) - { - buf4->buf_len = MAX_BUFFERLEN; + prs_uint32("buf_len", ps, depth, &buf4->buf_len); + if (UNMARSHALLING(ps)) { + buf4->buffer = PRS_ALLOC_MEM(ps, uint8, buf4->buf_len); + if (!buf4->buffer) { + return False; + } } - prs_uint8s(True, "buffer", ps, depth, buf4->buffer, buf4->buf_len); return True; diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 67a9d96e19..4b78d373ba 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -726,14 +726,14 @@ BOOL prs_uint8s(BOOL charmode, const char *name, prs_struct *ps, int depth, uint SCVAL(q, i, data8s[i]); } - DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset ,name)); - if (charmode) + DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset ,name)); + if (charmode) print_asc(5, (unsigned char*)data8s, len); else { - for (i = 0; i < len; i++) + for (i = 0; i < len; i++) DEBUG(5,("%02x ", data8s[i])); } - DEBUG(5,("\n")); + DEBUG(5,("\n")); ps->data_offset += len; @@ -776,7 +776,7 @@ BOOL prs_uint16s(BOOL charmode, const char *name, prs_struct *ps, int depth, uin for (i = 0; i < len; i++) DEBUG(5,("%04x ", data16s[i])); } - DEBUG(5,("\n")); + DEBUG(5,("\n")); ps->data_offset += (len * sizeof(uint16)); @@ -818,7 +818,7 @@ static void dbg_rw_punival(BOOL charmode, const char *name, int depth, prs_struc for (i = 0; i < len; i++) DEBUG(5,("%04x ", out_buf[i])); } - DEBUG(5,("\n")); + DEBUG(5,("\n")); } /****************************************************************** @@ -873,7 +873,7 @@ BOOL prs_uint32s(BOOL charmode, const char *name, prs_struct *ps, int depth, uin for (i = 0; i < len; i++) DEBUG(5,("%08x ", data32s[i])); } - DEBUG(5,("\n")); + DEBUG(5,("\n")); ps->data_offset += (len * sizeof(uint32)); @@ -924,8 +924,11 @@ BOOL prs_buffer2(BOOL charmode, const char *name, prs_struct *ps, int depth, BUF return False; if (UNMARSHALLING(ps)) { - if ( str->buf_len ) { - str->buffer = PRS_ALLOC_MEM(ps, uint16, str->buf_len); + if (str->buf_len > str->buf_max_len) { + return False; + } + if ( str->buf_max_len ) { + str->buffer = PRS_ALLOC_MEM(ps, uint16, str->buf_max_len); if ( str->buffer == NULL ) return False; } @@ -947,11 +950,14 @@ BOOL prs_buffer2(BOOL charmode, const char *name, prs_struct *ps, int depth, BUF BOOL prs_string2(BOOL charmode, const char *name, prs_struct *ps, int depth, STRING2 *str) { unsigned int i; - char *q = prs_mem_get(ps, str->str_max_len); + char *q = prs_mem_get(ps, str->str_str_len); if (q == NULL) return False; if (UNMARSHALLING(ps)) { + if (str->str_str_len > str->str_max_len) { + return False; + } str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len); if (str->buffer == NULL) return False; @@ -965,14 +971,14 @@ BOOL prs_string2(BOOL charmode, const char *name, prs_struct *ps, int depth, STR SCVAL(q, i, str->buffer[i]); } - DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset, name)); - if (charmode) + DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset, name)); + if (charmode) print_asc(5, (unsigned char*)str->buffer, str->str_str_len); else { - for (i = 0; i < str->str_str_len; i++) + for (i = 0; i < str->str_str_len; i++) DEBUG(5,("%02x ", str->buffer[i])); } - DEBUG(5,("\n")); + DEBUG(5,("\n")); ps->data_offset += str->str_str_len; @@ -996,6 +1002,9 @@ BOOL prs_unistr2(BOOL charmode, const char *name, prs_struct *ps, int depth, UNI return True; if (UNMARSHALLING(ps)) { + if (str->uni_str_len > str->uni_max_len) { + return False; + } str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len); if (str->buffer == NULL) return False; @@ -1061,10 +1070,8 @@ BOOL prs_unistr(const char *name, prs_struct *ps, int depth, UNISTR *str) start = (uint8*)q; - for(len = 0; str->buffer[len] != 0; len++) - { - if(ps->bigendian_data) - { + for(len = 0; str->buffer[len] != 0; len++) { + if(ps->bigendian_data) { /* swap bytes - p is little endian, q is big endian. */ q[0] = (char)p[1]; q[1] = (char)p[0]; @@ -1126,8 +1133,7 @@ BOOL prs_unistr(const char *name, prs_struct *ps, int depth, UNISTR *str) /* the (len < alloc_len) test is to prevent us from overwriting memory that is not ours...if we get that far, we have a non-null terminated string in the buffer and have messed up somewhere */ - while ((len < alloc_len) && (*(uint16 *)q != 0)) - { + while ((len < alloc_len) && (*(uint16 *)q != 0)) { if(ps->bigendian_data) { /* swap bytes - q is big endian, p is little endian. */ @@ -1145,8 +1151,7 @@ BOOL prs_unistr(const char *name, prs_struct *ps, int depth, UNISTR *str) len++; } - if (len < alloc_len) - { + if (len < alloc_len) { /* NULL terminate the UNISTR */ str->buffer[len++] = '\0'; } @@ -1326,6 +1331,7 @@ int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps, TALLOC_CTX *me /******************************************************************* hash a stream. ********************************************************************/ + BOOL prs_hash1(prs_struct *ps, uint32 offset, uint8 sess_key[16], int len) { char *q; @@ -1347,11 +1353,11 @@ BOOL prs_hash1(prs_struct *ps, uint32 offset, uint8 sess_key[16], int len) return True; } - /******************************************************************* Create a digest over the entire packet (including the data), and MD5 it with the session key. ********************************************************************/ + static void netsec_digest(struct netsec_auth_struct *a, int auth_flags, RPC_AUTH_NETSEC_CHK * verf, @@ -1383,6 +1389,7 @@ static void netsec_digest(struct netsec_auth_struct *a, /******************************************************************* Calculate the key with which to encode the data payload ********************************************************************/ + static void netsec_get_sealing_key(struct netsec_auth_struct *a, RPC_AUTH_NETSEC_CHK *verf, uchar sealing_key[16]) @@ -1410,6 +1417,7 @@ static void netsec_get_sealing_key(struct netsec_auth_struct *a, /******************************************************************* Encode or Decode the sequence number (which is symmetric) ********************************************************************/ + static void netsec_deal_with_seq_num(struct netsec_auth_struct *a, RPC_AUTH_NETSEC_CHK *verf) { @@ -1432,6 +1440,7 @@ static void netsec_deal_with_seq_num(struct netsec_auth_struct *a, /******************************************************************* creates an RPC_AUTH_NETSEC_CHK structure. ********************************************************************/ + static BOOL init_rpc_auth_netsec_chk(RPC_AUTH_NETSEC_CHK * chk, const uchar sig[8], const uchar packet_digest[8], @@ -1448,13 +1457,13 @@ static BOOL init_rpc_auth_netsec_chk(RPC_AUTH_NETSEC_CHK * chk, return True; } - /******************************************************************* Encode a blob of data using the netsec (schannel) alogrithm, also produceing a checksum over the original data. We currently only support signing and sealing togeather - the signing-only code is close, but not quite compatible with what MS does. ********************************************************************/ + void netsec_encode(struct netsec_auth_struct *a, int auth_flags, enum netsec_direction direction, RPC_AUTH_NETSEC_CHK * verf, |