From 7a7e9b1c76f3967cc8cdae34e5d64759305e592a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 14 Aug 2012 09:33:01 +0200 Subject: libcli/smb: fix parsing of compounded messages within a SMB2_TRANSFORM pdu One SMB2_TRANSFORM pdu wraps multiple SMB2 pdus. We inject the SMB2_TRANSFORM header to each response which was wrapped inside. This allows the next layer to verify if the SMB2 pdu was encrypted. metze --- libcli/smb/smbXcli_base.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'libcli/smb') diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 58232ba7ea..05a97268a4 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -2953,6 +2953,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, int num_iov = 0; size_t taken = 0; uint8_t *first_hdr = buf; + size_t verified_buflen = 0; + uint8_t *tf = NULL; + size_t tf_len = 0; iov = talloc_array(mem_ctx, struct iovec, num_iov); if (iov == NULL) { @@ -2960,8 +2963,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, } while (taken < buflen) { - uint8_t *tf = NULL; - size_t tf_len = 0; size_t len = buflen - taken; uint8_t *hdr = first_hdr + taken; struct iovec *cur; @@ -2970,6 +2971,13 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, uint16_t body_size; struct iovec *iov_tmp; + if (verified_buflen > taken) { + len = verified_buflen - taken; + } else { + tf = NULL; + tf_len = 0; + } + if (len < 4) { DEBUG(10, ("%d bytes left, expected at least %d\n", (int)len, 4)); @@ -3020,6 +3028,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, TALLOC_FREE(iov); return status; } + + verified_buflen = taken + len; } /* @@ -3053,9 +3063,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, if (next_command_ofs > full_size) { goto inval; } - if (tf && next_command_ofs < len) { - goto inval; - } full_size = next_command_ofs; } if (body_size < 2) { -- cgit