From 03841f9e44950811907ea83e8caedac2a80bce06 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 26 Sep 2010 02:59:32 -0700 Subject: Fix bug #7698 - Assert causes smbd to panic on invalid NetBIOS session request. Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid NetBIOS session request is received the code in name_len() in libsmb/nmblib.c can hit an assert. Re-write name_len() and name_extract() to use "buf/len" pairs and always limit reads. Jeremy. --- source3/include/proto.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/include') diff --git a/source3/include/proto.h b/source3/include/proto.h index c252b0e19c..1687186268 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2806,8 +2806,8 @@ bool match_mailslot_name(struct packet_struct *p, const char *mailslot_name); int matching_len_bits(unsigned char *p1, unsigned char *p2, size_t len); void sort_query_replies(char *data, int n, struct in_addr ip); char *name_mangle(TALLOC_CTX *mem_ctx, char *In, char name_type); -int name_extract(char *buf,int ofs, fstring name); -int name_len(char *s1); +int name_extract(unsigned char *buf,size_t buf_len, unsigned int ofs, fstring name); +int name_len(unsigned char *s1, size_t buf_len); /* The following definitions come from libsmb/nterr.c */ @@ -5268,7 +5268,7 @@ bool check_fsp(connection_struct *conn, struct smb_request *req, files_struct *fsp); bool check_fsp_ntquota_handle(connection_struct *conn, struct smb_request *req, files_struct *fsp); -void reply_special(struct smbd_server_connection *sconn, char *inbuf); +void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inbuf_len); void reply_tcon(struct smb_request *req); void reply_tcon_and_X(struct smb_request *req); void reply_unknown_new(struct smb_request *req, uint8 type); -- cgit