diff options
Diffstat (limited to 'source4/auth/ntlmssp/ntlmssp_parse.c')
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_parse.c | 90 |
1 files changed, 59 insertions, 31 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp_parse.c b/source4/auth/ntlmssp/ntlmssp_parse.c index ea80737c80..bb2d7a14a8 100644 --- a/source4/auth/ntlmssp/ntlmssp_parse.c +++ b/source4/auth/ntlmssp/ntlmssp_parse.c @@ -21,6 +21,7 @@ #include "includes.h" #include "pstring.h" +#include "param/param.h" /* this is a tiny msrpc packet generator. I am only using this to @@ -64,7 +65,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, case 'U': s = va_arg(ap, char *); head_size += 8; - n = push_ucs2_talloc(pointers, global_smb_iconv_convenience, (void **)&pointers[i].data, s); + n = push_ucs2_talloc(pointers, lp_iconv_convenience(global_loadparm), (void **)&pointers[i].data, s); if (n == -1) { return false; } @@ -75,7 +76,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, case 'A': s = va_arg(ap, char *); head_size += 8; - n = push_ascii_talloc(pointers, global_smb_iconv_convenience, (char **)&pointers[i].data, s); + n = push_ascii_talloc(pointers, lp_iconv_convenience(global_loadparm), (char **)&pointers[i].data, s); if (n == -1) { return false; } @@ -87,7 +88,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, n = va_arg(ap, int); intargs[i] = n; s = va_arg(ap, char *); - n = push_ucs2_talloc(pointers, global_smb_iconv_convenience, (void **)&pointers[i].data, s); + n = push_ucs2_talloc(pointers, lp_iconv_convenience(global_loadparm), (void **)&pointers[i].data, s); if (n == -1) { return false; } @@ -209,7 +210,9 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, uint16_t len1, len2; uint32_t ptr; uint32_t *v; - pstring p; + size_t p_len = 1024; + char *p = talloc_array(mem_ctx, char, p_len); + bool ret = true; va_start(ap, format); for (i=0; format[i]; i++) { @@ -226,21 +229,27 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, } else { /* make sure its in the right format - be strict */ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return false; + ret = false; + goto cleanup; } if (len1 & 1) { /* if odd length and unicode */ - return false; + ret = false; + goto cleanup; + } + if (blob->data + ptr < (uint8_t *)ptr || + blob->data + ptr < blob->data) { + ret = false; + goto cleanup; } - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return false; if (0 < len1) { - pull_string(global_smb_iconv_convenience, p, blob->data + ptr, sizeof(p), + pull_string(lp_iconv_convenience(global_loadparm), p, blob->data + ptr, p_len, len1, STR_UNICODE|STR_NOALIGN); (*ps) = talloc_strdup(mem_ctx, p); if (!(*ps)) { - return false; + ret = false; + goto cleanup; } } else { (*ps) = ""; @@ -259,18 +268,23 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, *ps = ""; } else { if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return false; + ret = false; + goto cleanup; } - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return false; + if (blob->data + ptr < (uint8_t *)ptr || + blob->data + ptr < blob->data) { + ret = false; + goto cleanup; + } if (0 < len1) { - pull_string(global_smb_iconv_convenience, p, blob->data + ptr, sizeof(p), + pull_string(lp_iconv_convenience(global_loadparm), p, blob->data + ptr, p_len, len1, STR_ASCII|STR_NOALIGN); (*ps) = talloc_strdup(mem_ctx, p); if (!(*ps)) { - return false; + ret = false; + goto cleanup; } } else { (*ps) = ""; @@ -289,12 +303,16 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, } else { /* make sure its in the right format - be strict */ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - return false; + ret = false; + goto cleanup; + } + + if (blob->data + ptr < (uint8_t *)ptr || + blob->data + ptr < blob->data) { + ret = false; + goto cleanup; } - if (blob->data + ptr < (uint8_t *)ptr || blob->data + ptr < blob->data) - return false; - *b = data_blob_talloc(mem_ctx, blob->data + ptr, len1); } break; @@ -303,9 +321,12 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, len1 = va_arg(ap, uint_t); /* make sure its in the right format - be strict */ NEED_DATA(len1); - if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) - return false; - + if (blob->data + head_ofs < (uint8_t *)head_ofs || + blob->data + head_ofs < blob->data) { + ret = false; + goto cleanup; + } + *b = data_blob_talloc(mem_ctx, blob->data + head_ofs, len1); head_ofs += len1; break; @@ -317,19 +338,26 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, case 'C': s = va_arg(ap, char *); - if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) - return false; - - head_ofs += pull_string(global_smb_iconv_convenience, p, blob->data+head_ofs, sizeof(p), - blob->length - head_ofs, - STR_ASCII|STR_TERMINATE); + if (blob->data + head_ofs < (uint8_t *)head_ofs || + blob->data + head_ofs < blob->data) { + ret = false; + goto cleanup; + } + + head_ofs += pull_string(lp_iconv_convenience(global_loadparm), p, + blob->data+head_ofs, p_len, + blob->length - head_ofs, + STR_ASCII|STR_TERMINATE); if (strcmp(s, p) != 0) { - return false; + ret = false; + goto cleanup; } break; } } - va_end(ap); - return true; +cleanup: + va_end(ap); + talloc_free(p); + return ret; } |