diff options
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/ipc.c | 78 | ||||
-rw-r--r-- | source3/smbd/nttrans.c | 89 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 76 |
3 files changed, 142 insertions, 101 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 68a13d692f..6961a5caf1 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -498,7 +498,8 @@ void reply_trans(struct smb_request *req) unsigned int pscnt; struct trans_state *state; NTSTATUS result; - int size; + unsigned int size; + unsigned int av_size; START_PROFILE(SMBtrans); @@ -509,6 +510,7 @@ void reply_trans(struct smb_request *req) } size = smb_len(req->inbuf) + 4; + av_size = smb_len(req->inbuf); dsoff = SVAL(req->inbuf, smb_dsoff); dscnt = SVAL(req->inbuf, smb_dscnt); psoff = SVAL(req->inbuf, smb_psoff); @@ -567,12 +569,17 @@ void reply_trans(struct smb_request *req) } /* null-terminate the slack space */ memset(&state->data[state->total_data], 0, 100); - if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) + + if (dscnt > state->total_data || + dsoff+dscnt < dsoff) { goto bad_param; - if ((smb_base(req->inbuf)+dsoff+dscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf))) + } + + if (dsoff > av_size || + dscnt > av_size || + dsoff+dscnt > av_size) { goto bad_param; + } memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } @@ -592,12 +599,17 @@ void reply_trans(struct smb_request *req) } /* null-terminate the slack space */ memset(&state->param[state->total_param], 0, 100); - if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) + + if (pscnt > state->total_param || + psoff+pscnt < psoff) { goto bad_param; - if ((smb_base(req->inbuf)+psoff+pscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf))) + } + + if (psoff > av_size || + pscnt > av_size || + psoff+pscnt > av_size) { goto bad_param; + } memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -675,7 +687,7 @@ void reply_transs(struct smb_request *req) connection_struct *conn = req->conn; unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - int size; + unsigned int av_size; START_PROFILE(SMBtranss); @@ -708,7 +720,7 @@ void reply_transs(struct smb_request *req) if (SVAL(req->inbuf, smb_vwv1) < state->total_data) state->total_data = SVAL(req->inbuf,smb_vwv1); - size = smb_len(req->inbuf) + 4; + av_size = smb_len(req->inbuf); pcnt = SVAL(req->inbuf, smb_spscnt); poff = SVAL(req->inbuf, smb_spsoff); @@ -726,38 +738,38 @@ void reply_transs(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp+pcnt > state->total_param) - goto bad_param; - if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) - goto bad_param; - if (pdisp > state->total_param) + if (pdisp > state->total_param || + pcnt > state->total_param || + pdisp+pcnt > state->total_param || + pdisp+pcnt < pdisp) { goto bad_param; - if ((smb_base(req->inbuf) + poff + pcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + poff + pcnt - < smb_base(req->inbuf))) - goto bad_param; - if (state->param + pdisp < state->param) + } + + if (poff > av_size || + pcnt > av_size || + poff+pcnt > av_size || + poff+pcnt < poff) { goto bad_param; + } memcpy(state->param+pdisp,smb_base(req->inbuf)+poff, pcnt); } if (dcnt) { - if (ddisp+dcnt > state->total_data) - goto bad_param; - if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) + if (ddisp > state->total_data || + dcnt > state->total_data || + ddisp+dcnt > state->total_data || + ddisp+dcnt < ddisp) { goto bad_param; - if (ddisp > state->total_data) - goto bad_param; - if ((smb_base(req->inbuf) + doff + dcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + doff + dcnt - < smb_base(req->inbuf))) - goto bad_param; - if (state->data + ddisp < state->data) + } + + if (ddisp > av_size || + dcnt > av_size || + ddisp+dcnt > av_size || + ddisp+dcnt < ddisp) { goto bad_param; + } memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, dcnt); diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 05c0957e4f..e8dae705b0 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2557,14 +2557,15 @@ static void handle_nttrans(connection_struct *conn, void reply_nttrans(struct smb_request *req) { connection_struct *conn = req->conn; - uint32 pscnt; - uint32 psoff; - uint32 dscnt; - uint32 dsoff; + uint32_t pscnt; + uint32_t psoff; + uint32_t dscnt; + uint32_t dsoff; uint16 function_code; NTSTATUS result; struct trans_state *state; - int size; + uint32_t size; + uint32_t av_size; START_PROFILE(SMBnttrans); @@ -2575,6 +2576,7 @@ void reply_nttrans(struct smb_request *req) } size = smb_len(req->inbuf) + 4; + av_size = smb_len(req->inbuf); pscnt = IVAL(req->inbuf,smb_nt_ParameterCount); psoff = IVAL(req->inbuf,smb_nt_ParameterOffset); dscnt = IVAL(req->inbuf,smb_nt_DataCount); @@ -2650,12 +2652,17 @@ void reply_nttrans(struct smb_request *req) END_PROFILE(SMBnttrans); return; } - if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) + + if (dscnt > state->total_data || + dsoff+dscnt < dsoff) { goto bad_param; - if ((smb_base(req->inbuf)+dsoff+dscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf))) + } + + if (dsoff > av_size || + dscnt > av_size || + dsoff+dscnt > av_size) { goto bad_param; + } memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } @@ -2672,12 +2679,17 @@ void reply_nttrans(struct smb_request *req) END_PROFILE(SMBnttrans); return; } - if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) + + if (pscnt > state->total_param || + psoff+pscnt < psoff) { goto bad_param; - if ((smb_base(req->inbuf)+psoff+pscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf))) + } + + if (psoff > av_size || + pscnt > av_size || + psoff+pscnt > av_size) { goto bad_param; + } memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -2749,10 +2761,10 @@ void reply_nttrans(struct smb_request *req) void reply_nttranss(struct smb_request *req) { connection_struct *conn = req->conn; - unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; + uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - - int size; + uint32_t av_size; + uint32_t size; START_PROFILE(SMBnttranss); @@ -2789,6 +2801,7 @@ void reply_nttranss(struct smb_request *req) } size = smb_len(req->inbuf) + 4; + av_size = smb_len(req->inbuf); pcnt = IVAL(req->inbuf,smb_nts_ParameterCount); poff = IVAL(req->inbuf, smb_nts_ParameterOffset); @@ -2806,38 +2819,38 @@ void reply_nttranss(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp+pcnt > state->total_param) - goto bad_param; - if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) - goto bad_param; - if (pdisp > state->total_param) + if (pdisp > state->total_param || + pcnt > state->total_param || + pdisp+pcnt > state->total_param || + pdisp+pcnt < pdisp) { goto bad_param; - if ((smb_base(req->inbuf) + poff + pcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + poff + pcnt - < smb_base(req->inbuf))) - goto bad_param; - if (state->param + pdisp < state->param) + } + + if (poff > av_size || + pcnt > av_size || + poff+pcnt > av_size || + poff+pcnt < poff) { goto bad_param; + } memcpy(state->param+pdisp, smb_base(req->inbuf)+poff, pcnt); } if (dcnt) { - if (ddisp+dcnt > state->total_data) - goto bad_param; - if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) + if (ddisp > state->total_data || + dcnt > state->total_data || + ddisp+dcnt > state->total_data || + ddisp+dcnt < ddisp) { goto bad_param; - if (ddisp > state->total_data) - goto bad_param; - if ((smb_base(req->inbuf) + doff + dcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + doff + dcnt - < smb_base(req->inbuf))) - goto bad_param; - if (state->data + ddisp < state->data) + } + + if (ddisp > av_size || + dcnt > av_size || + ddisp+dcnt > av_size || + ddisp+dcnt < ddisp) { goto bad_param; + } memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, dcnt); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 05e8375d05..709eb39dd8 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -7468,7 +7468,8 @@ void reply_trans2(struct smb_request *req) unsigned int psoff; unsigned int pscnt; unsigned int tran_call; - int size; + unsigned int size; + unsigned int av_size; struct trans_state *state; NTSTATUS result; @@ -7486,6 +7487,7 @@ void reply_trans2(struct smb_request *req) pscnt = SVAL(req->inbuf, smb_pscnt); tran_call = SVAL(req->inbuf, smb_setup0); size = smb_len(req->inbuf) + 4; + av_size = smb_len(req->inbuf); result = allow_new_trans(conn->pending_trans, req->mid); if (!NT_STATUS_IS_OK(result)) { @@ -7578,12 +7580,17 @@ void reply_trans2(struct smb_request *req) END_PROFILE(SMBtrans2); return; } - if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) + + if (dscnt > state->total_data || + dsoff+dscnt < dsoff) { goto bad_param; - if ((smb_base(req->inbuf)+dsoff+dscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf))) + } + + if (dsoff > av_size || + dscnt > av_size || + dsoff+dscnt > av_size) { goto bad_param; + } memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } @@ -7601,12 +7608,17 @@ void reply_trans2(struct smb_request *req) END_PROFILE(SMBtrans2); return; } - if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) + + if (pscnt > state->total_param || + psoff+pscnt < psoff) { goto bad_param; - if ((smb_base(req->inbuf)+psoff+pscnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf))) + } + + if (psoff > av_size || + pscnt > av_size || + psoff+pscnt > av_size) { goto bad_param; + } memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -7655,7 +7667,8 @@ void reply_transs2(struct smb_request *req) connection_struct *conn = req->conn; unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - int size; + unsigned int size; + unsigned int av_size; START_PROFILE(SMBtranss2); @@ -7668,6 +7681,7 @@ void reply_transs2(struct smb_request *req) } size = smb_len(req->inbuf)+4; + av_size = smb_len(req->inbuf); for (state = conn->pending_trans; state != NULL; state = state->next) { @@ -7706,36 +7720,38 @@ void reply_transs2(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp+pcnt > state->total_param) - goto bad_param; - if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) - goto bad_param; - if (pdisp > state->total_param) + if (pdisp > state->total_param || + pcnt > state->total_param || + pdisp+pcnt > state->total_param || + pdisp+pcnt < pdisp) { goto bad_param; - if ((smb_base(req->inbuf) + poff + pcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + poff + pcnt < smb_base(req->inbuf))) - goto bad_param; - if (state->param + pdisp < state->param) + } + + if (poff > av_size || + pcnt > av_size || + poff+pcnt > av_size || + poff+pcnt < poff) { goto bad_param; + } memcpy(state->param+pdisp,smb_base(req->inbuf)+poff, pcnt); } if (dcnt) { - if (ddisp+dcnt > state->total_data) - goto bad_param; - if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) + if (ddisp > state->total_data || + dcnt > state->total_data || + ddisp+dcnt > state->total_data || + ddisp+dcnt < ddisp) { goto bad_param; - if (ddisp > state->total_data) - goto bad_param; - if ((smb_base(req->inbuf) + doff + dcnt - > (char *)req->inbuf + size) || - (smb_base(req->inbuf) + doff + dcnt < smb_base(req->inbuf))) - goto bad_param; - if (state->data + ddisp < state->data) + } + + if (ddisp > av_size || + dcnt > av_size || + ddisp+dcnt > av_size || + ddisp+dcnt < ddisp) { goto bad_param; + } memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, dcnt); |