From 528c3d3e682ce85d8b041a1396e59f5229716e71 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 27 Oct 1998 15:03:47 +0000 Subject: amazing. the improvements to NT continue, evidence for which shows up now as "RPC fault" if the UNIHDR structure lengths do not exactly match up to the length of the data stream. so, all versions of samba prior to this one have an off-by-one bug in unicode string lengths. all versions of NT prior to NT 5 beta 2 could possibly have buffer problems when receiving badly formatted UNICODE strings. (This used to be commit 161eb6f511e161b63c1fa90a08c562fcf208344a) --- source3/rpc_client/cli_netlogon.c | 1 + source3/rpc_parse/parse_misc.c | 18 +++++++++--------- source3/rpc_parse/parse_net.c | 10 +++++----- source3/rpc_parse/parse_samr.c | 2 +- source3/rpc_parse/parse_srv.c | 1 + source3/rpc_server/srv_samr.c | 4 ++-- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 721e261359..d75ad6947f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -339,6 +339,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + dummy_rtn_creds.timestamp.time = time(NULL); /* store the parameters */ make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c index 5144ef8c31..4cb606688d 100644 --- a/source3/rpc_parse/parse_misc.c +++ b/source3/rpc_parse/parse_misc.c @@ -395,7 +395,7 @@ void make_buf_unistr2(UNISTR2 *str, uint32 *ptr, char *buf) if (buf != NULL) { *ptr = 1; - make_unistr2(str, buf, strlen(buf)); + make_unistr2(str, buf, strlen(buf)+1); } else { @@ -475,10 +475,10 @@ creates a UNISTR2 structure. ********************************************************************/ void make_unistr2(UNISTR2 *str, char *buf, int len) { - /* set up string lengths. add one if string is not null-terminated */ - str->uni_max_len = len+1; + /* set up string lengths. */ + str->uni_max_len = len; str->undoc = 0; - str->uni_str_len = len+1; + str->uni_str_len = len; /* store the string (null-terminated 8 bit chars into 16 bit chars) */ struni2(str->buffer, buf); @@ -608,7 +608,7 @@ static void make_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name) if (logon_srv != NULL) { log->undoc_buffer = 1; - make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)); + make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1); } else { @@ -618,7 +618,7 @@ static void make_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name) if (comp_name != NULL) { log->undoc_buffer2 = 1; - make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)); + make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1); } else { @@ -665,12 +665,12 @@ void make_log_info(DOM_LOG_INFO *log, char *logon_srv, char *acct_name, log->undoc_buffer = 1; - make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)); - make_unistr2(&(log->uni_acct_name), acct_name, strlen(acct_name)); + make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1); + make_unistr2(&(log->uni_acct_name), acct_name, strlen(acct_name)+1); log->sec_chan = sec_chan; - make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)); + make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1); } /******************************************************************* diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c index d99c4baac6..57fc73e516 100644 --- a/source3/rpc_parse/parse_net.c +++ b/source3/rpc_parse/parse_net.c @@ -116,7 +116,7 @@ static void make_netinfo_2(NETLOGON_INFO_2 *info, uint32 flags, uint32 pdc_statu if (trusted_dc_name != NULL) { - make_unistr2(&(info->uni_trusted_dc_name), trusted_dc_name, len_dc_name); + make_unistr2(&(info->uni_trusted_dc_name), trusted_dc_name, len_dc_name+1); } else { @@ -294,7 +294,7 @@ void make_r_trust_dom(NET_R_TRUST_DOM_LIST *r_t, fstring domain_name; fstrcpy(domain_name, dom_name); strupper(domain_name); - make_unistr2(&(r_t->uni_trust_dom_name[i]), domain_name, strlen(domain_name)); + make_unistr2(&(r_t->uni_trust_dom_name[i]), domain_name, strlen(domain_name)+1); /* the use of UNISTR2 here is non-standard. */ r_t->uni_trust_dom_name[i].undoc = 0x1; } @@ -354,8 +354,8 @@ void make_q_req_chal(NET_Q_REQ_CHAL *q_c, q_c->undoc_buffer = 1; /* don't know what this buffer is */ - make_unistr2(&(q_c->uni_logon_srv ), logon_srv , strlen(logon_srv )); - make_unistr2(&(q_c->uni_logon_clnt), logon_clnt, strlen(logon_clnt)); + make_unistr2(&(q_c->uni_logon_srv ), logon_srv , strlen(logon_srv )+1); + make_unistr2(&(q_c->uni_logon_clnt), logon_clnt, strlen(logon_clnt)+1); memcpy(q_c->clnt_chal.data, clnt_chal->data, sizeof(clnt_chal->data)); @@ -377,7 +377,7 @@ void net_io_q_req_chal(char *desc, NET_Q_REQ_CHAL *q_c, prs_struct *ps, int dep prs_uint32("undoc_buffer", ps, depth, &(q_c->undoc_buffer)); - smb_io_unistr2("", &(q_c->uni_logon_srv), True, ps, depth); /* logon server unicode string */ + smb_io_unistr2("", &(q_c->uni_logon_srv ), True, ps, depth); /* logon server unicode string */ smb_io_unistr2("", &(q_c->uni_logon_clnt), True, ps, depth); /* logon client unicode string */ old_align = ps->align; diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c index f09af387e4..ba6a8d3556 100644 --- a/source3/rpc_parse/parse_samr.c +++ b/source3/rpc_parse/parse_samr.c @@ -2694,7 +2694,7 @@ void make_samr_q_connect(SAMR_Q_CONNECT *q_u, /* make PDC server name \\server */ q_u->ptr_srv_name = len_srv_name > 0 ? 1 : 0; - make_unistr2(&(q_u->uni_srv_name), srv_name, len_srv_name); + make_unistr2(&(q_u->uni_srv_name), srv_name, len_srv_name+1); /* example values: 0x0000 0002 */ q_u->unknown_0 = unknown_0; diff --git a/source3/rpc_parse/parse_srv.c b/source3/rpc_parse/parse_srv.c index 27b1ec2257..adc4249072 100644 --- a/source3/rpc_parse/parse_srv.c +++ b/source3/rpc_parse/parse_srv.c @@ -1377,6 +1377,7 @@ static void srv_io_info_ctr(char *desc, SRV_INFO_CTR *ctr, prs_struct *ps, int break; } } + prs_align(ps); } } diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index 74d06d1bca..034e4dd336 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -418,7 +418,7 @@ static void samr_reply_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_u, got_grps = True; num_entries = 1; - make_unistr2(&(pass[0].uni_user_name), dummy_group, strlen(dummy_group)); + make_unistr2(&(pass[0].uni_user_name), dummy_group, strlen(dummy_group)-1); pass[0].user_rid = DOMAIN_GROUP_RID_ADMINS; if (r_e.status == 0 && got_grps) @@ -481,7 +481,7 @@ static void samr_reply_enum_dom_aliases(SAMR_Q_ENUM_DOM_ALIASES *q_u, char *name; while (num_entries < MAX_SAM_ENTRIES && ((name = builtin_alias_rids[num_entries].name) != NULL)) { - make_unistr2(&(pass[num_entries].uni_user_name), name, strlen(name)); + make_unistr2(&(pass[num_entries].uni_user_name), name, strlen(name)-1); pass[num_entries].user_rid = builtin_alias_rids[num_entries].rid; num_entries++; } -- cgit