From 143fb8403a5b763224b078e67aa9e4ef005ec9ca Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 8 Aug 2012 05:03:19 +0200 Subject: libcli/smb: smb2_signing_[en|de]crypt_pdu() check and set SMB2_TF_MSG_SIZE metze --- libcli/smb/smb2_signing.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'libcli/smb/smb2_signing.c') diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index bb621fd27e..97143f7144 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -238,13 +238,15 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, return NT_STATUS_ACCESS_DENIED; } - alg = SMB2_ENCRYPTION_AES128_CCM; - SSVAL(tf, SMB2_TF_ALGORITHM, alg); - a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; for (i=1; i < count; i++) { m_total += vector[i].iov_len; } + + alg = SMB2_ENCRYPTION_AES128_CCM; + SSVAL(tf, SMB2_TF_ALGORITHM, alg); + SIVAL(tf, SMB2_TF_MSG_SIZE, m_total); + ZERO_STRUCT(key); memcpy(key, encryption_key.data, MIN(encryption_key.length, AES_BLOCK_SIZE)); @@ -283,6 +285,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, int i; size_t a_total; size_t m_total = 0; + uint32_t msg_size = 0; struct aes_ccm_128_context ctx; uint8_t key[AES_BLOCK_SIZE]; @@ -302,15 +305,22 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, return NT_STATUS_ACCESS_DENIED; } + a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; + for (i=1; i < count; i++) { + m_total += vector[i].iov_len; + } + alg = SVAL(tf, SMB2_TF_ALGORITHM); + msg_size = IVAL(tf, SMB2_TF_MSG_SIZE); + if (alg != SMB2_ENCRYPTION_AES128_CCM) { return NT_STATUS_ACCESS_DENIED; } - a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; - for (i=1; i < count; i++) { - m_total += vector[i].iov_len; + if (msg_size != m_total) { + return NT_STATUS_INTERNAL_ERROR; } + ZERO_STRUCT(key); memcpy(key, decryption_key.data, MIN(decryption_key.length, AES_BLOCK_SIZE)); -- cgit