From 5ca824a682bbcd9331f32935f9b423ae6d468816 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 29 Oct 2003 21:27:57 +0000 Subject: Fixes to check for wraps which could cause coredumps. Jeremy. (This used to be commit 124a8ddae63adff4f601242a8e6d05abcaf4d9bf) --- source3/lib/smbldap.c | 1 + source3/libsmb/clilist.c | 2 +- source3/libsmb/ntlmssp_parse.c | 7 +++---- source3/nmbd/nmbd_processlogon.c | 3 +++ source3/printing/nt_printing.c | 19 ++++++++++++++----- source3/smbd/reply.c | 10 ++++++---- 6 files changed, 28 insertions(+), 14 deletions(-) diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 8f58e80dde..fe34cfb852 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -258,6 +258,7 @@ BOOL fetch_ldap_pw(char **dn, char** pw) return False; } + size = MIN(size, sizeof(fstring)-1); strncpy(old_style_pw, data, size); old_style_pw[size] = 0; diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index 7822987ada..2c1831ae99 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli, case 260: /* NT uses this, but also accepts 2 */ { - int namelen, slen; + size_t namelen, slen; p += 4; /* next entry offset */ p += 4; /* fileindex */ diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c index 60cb4ab04a..b136dacf5a 100644 --- a/source3/libsmb/ntlmssp_parse.c +++ b/source3/libsmb/ntlmssp_parse.c @@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, *ps = smb_xstrdup(""); } else { /* make sure its in the right format - be strict */ - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } if (len1 & 1) { @@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if (len1 == 0 && len2 == 0) { *ps = smb_xstrdup(""); } else { - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } @@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob, *b = data_blob(NULL, 0); } else { /* make sure its in the right format - be strict */ - if (len1 != len2 || ptr + len1 > blob->length) { + if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } *b = data_blob(blob->data + ptr, len1); @@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob, return True; } - diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c index 2a6a6b66d1..816b351464 100644 --- a/source3/nmbd/nmbd_processlogon.c +++ b/source3/nmbd/nmbd_processlogon.c @@ -491,6 +491,8 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", /* Domain SID */ +#if 0 + /* We must range check this. */ q += IVAL(q, 0) + 4; /* 4 byte length plus data */ q += 2; /* Alignment? */ @@ -500,6 +502,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q += 4; /* NT version (0x1) */ q += 2; /* LMNT token (0xff) */ q += 2; /* LM20 token (0xff) */ +#endif SAFE_FREE(db_info); /* Not sure whether we need to do anything useful with these */ diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 5b5b5885ab..908bd9c887 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi) static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor) { int i; - char *buf; + char *buf = NULL; ssize_t byte_count; if ((buf=malloc(PE_HEADER_SIZE)) == NULL) { @@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* The header may be a PE (Portable Executable) or an NE (New Executable) */ if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) { - int num_sections; - int section_table_bytes; + unsigned int num_sections; + unsigned int section_table_bytes; if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) { DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n", @@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* get the section table */ num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS); section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE; + if (section_table_bytes == 0) + goto error_exit; + SAFE_FREE(buf); if ((buf=malloc(section_table_bytes)) == NULL) { DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n", @@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE; if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) { - int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); - int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); + unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + + if (section_bytes == 0) + goto error_exit; SAFE_FREE(buf); if ((buf=malloc(section_bytes)) == NULL) { @@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 goto error_exit; } + if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE) + goto error_exit; + for (i=0; i dontdescend=<%s>\n", conn->dirpath,lp_dontdescend(SNUM(conn)))); if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True)) @@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size if ((! *directory) && dptr_path(dptr_num)) slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); - DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n", + DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n", smb_fn_name(CVAL(inbuf,smb_com)), mask, directory, dirtype, numentries, maxentries ) ); -- cgit