From a3e913ae8bfaa88f5b571f3347f3357a9ff02ed1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 3 May 2011 14:52:01 -0700 Subject: Add in bufflen limit when storing NetBIOS names. Remove safe_strcpy. --- source3/libsmb/nmblib.c | 48 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 16 deletions(-) (limited to 'source3/libsmb/nmblib.c') diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index dbf996ee5e..39243a04f3 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -288,7 +288,7 @@ void put_name(char *dest, const char *name, int pad, unsigned int name_type) If buf == NULL this is a length calculation. ******************************************************************/ -static int put_nmb_name(char *buf,int offset,struct nmb_name *name) +static int put_nmb_name(char *buf, size_t buflen, int offset,struct nmb_name *name) { int ret,m; nstring buf1; @@ -302,6 +302,9 @@ static int put_nmb_name(char *buf,int offset,struct nmb_name *name) } if (buf) { + if (offset >= buflen) { + return 0; + } buf[offset] = 0x20; } @@ -309,6 +312,9 @@ static int put_nmb_name(char *buf,int offset,struct nmb_name *name) for (m=0;m= buflen) { + return 0; + } buf[offset+1+2*m] = 'A' + ((buf1[m]>>4)&0xF); buf[offset+2+2*m] = 'A' + (buf1[m]&0xF); } @@ -316,20 +322,30 @@ static int put_nmb_name(char *buf,int offset,struct nmb_name *name) offset += 33; if (buf) { + if (offset >= buflen) { + return 0; + } buf[offset] = 0; } if (name->scope[0]) { /* XXXX this scope handling needs testing */ - ret += strlen(name->scope) + 1; + size_t scopenamelen = strlen(name->scope) + 1; + ret += scopenamelen; if (buf) { - safe_strcpy(&buf[offset+1],name->scope, - sizeof(name->scope)); + if (offset+1+scopenamelen >= buflen) { + return 0; + } + strlcpy(&buf[offset+1],name->scope, + buflen - (offset+1)); p = &buf[offset+1]; while ((p = strchr_m(p,'.'))) { buf[offset] = PTR_DIFF(p,&buf[offset+1]); offset += (buf[offset] + 1); + if (offset+1 >= buflen) { + return 0; + } p = &buf[offset+1]; } buf[offset] = strlen(&buf[offset+1]); @@ -404,13 +420,13 @@ static bool parse_alloc_res_rec(char *inbuf,int *offset,int length, If buf == NULL this is a length calculation. ******************************************************************/ -static int put_res_rec(char *buf,int offset,struct res_rec *recs,int count) +static int put_res_rec(char *buf, size_t buflen, int offset,struct res_rec *recs,int count) { int ret=0; int i; for (i=0;iheader.msg_type == 0x10 || dgram->header.msg_type == 0x11 || dgram->header.msg_type == 0x12) { - offset += put_nmb_name((char *)ubuf,offset,&dgram->source_name); - offset += put_nmb_name((char *)ubuf,offset,&dgram->dest_name); + offset += put_nmb_name((char *)ubuf,len,offset,&dgram->source_name); + offset += put_nmb_name((char *)ubuf,len,offset,&dgram->dest_name); } if (buf) { @@ -979,13 +995,13 @@ static int build_nmb(char *buf, size_t len, struct nmb_packet *nmb) /* XXXX this doesn't handle a qdcount of > 1 */ if (len) { /* Length check. */ - int extra = put_nmb_name(NULL,offset, + int extra = put_nmb_name(NULL,0,offset, &nmb->question.question_name); if (offset + extra > len) { return 0; } } - offset += put_nmb_name((char *)ubuf,offset, + offset += put_nmb_name((char *)ubuf,len,offset, &nmb->question.question_name); if (buf) { RSSVAL(ubuf,offset,nmb->question.question_type); @@ -997,26 +1013,26 @@ static int build_nmb(char *buf, size_t len, struct nmb_packet *nmb) if (nmb->header.ancount) { if (len) { /* Length check. */ - int extra = put_res_rec(NULL,offset,nmb->answers, + int extra = put_res_rec(NULL,0,offset,nmb->answers, nmb->header.ancount); if (offset + extra > len) { return 0; } } - offset += put_res_rec((char *)ubuf,offset,nmb->answers, + offset += put_res_rec((char *)ubuf,len,offset,nmb->answers, nmb->header.ancount); } if (nmb->header.nscount) { if (len) { /* Length check. */ - int extra = put_res_rec(NULL,offset,nmb->nsrecs, + int extra = put_res_rec(NULL,0,offset,nmb->nsrecs, nmb->header.nscount); if (offset + extra > len) { return 0; } } - offset += put_res_rec((char *)ubuf,offset,nmb->nsrecs, + offset += put_res_rec((char *)ubuf,len,offset,nmb->nsrecs, nmb->header.nscount); } @@ -1048,13 +1064,13 @@ static int build_nmb(char *buf, size_t len, struct nmb_packet *nmb) } else if (nmb->header.arcount) { if (len) { /* Length check. */ - int extra = put_res_rec(NULL,offset,nmb->additional, + int extra = put_res_rec(NULL,0,offset,nmb->additional, nmb->header.arcount); if (offset + extra > len) { return 0; } } - offset += put_res_rec((char *)ubuf,offset,nmb->additional, + offset += put_res_rec((char *)ubuf,len,offset,nmb->additional, nmb->header.arcount); } return offset; -- cgit From 02af3075858814811bc30f03623eb6715f9b7a78 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 May 2011 14:22:11 -0700 Subject: More simple const fixes. --- source3/libsmb/nmblib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/nmblib.c') diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index 39243a04f3..f4d5ec7bbb 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -1147,7 +1147,7 @@ bool match_mailslot_name(struct packet_struct *p, const char *mailslot_name) Return the number of bits that match between two len character buffers ***************************************************************************/ -int matching_len_bits(unsigned char *p1, unsigned char *p2, size_t len) +int matching_len_bits(const unsigned char *p1, const unsigned char *p2, size_t len) { size_t i, j; int ret = 0; -- cgit From f348d148b463ca61cbc48d2aadeaa099f7150425 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 8 Jun 2011 16:27:06 +1000 Subject: s3-param Remove special case for global_scope() There is no reason this can't be a normal constant string in the loadparm system. (Past reasons were that we didn't have lp_set_cmdline()) Andrew Bartlett --- source3/libsmb/nmblib.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/nmblib.c') diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index f4d5ec7bbb..767ff81476 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -936,7 +936,7 @@ void make_nmb_name( struct nmb_name *n, const char *name, int type) strupper_m(unix_name); push_ascii(n->name, unix_name, sizeof(n->name), STR_TERMINATE); n->name_type = (unsigned int)type & 0xFF; - push_ascii(n->scope, global_scope(), 64, STR_TERMINATE); + push_ascii(n->scope, lp_netbios_scope(), 64, STR_TERMINATE); } /******************************************************************* @@ -1261,7 +1261,7 @@ char *name_mangle(TALLOC_CTX *mem_ctx, const char *In, char name_type) char *result; char *p; - result = talloc_array(mem_ctx, char, 33 + strlen(global_scope()) + 2); + result = talloc_array(mem_ctx, char, 33 + strlen(lp_netbios_scope()) + 2); if (result == NULL) { return NULL; } @@ -1296,8 +1296,8 @@ char *name_mangle(TALLOC_CTX *mem_ctx, const char *In, char name_type) p[0] = '\0'; /* Add the scope string. */ - for( i = 0, len = 0; *(global_scope()) != '\0'; i++, len++ ) { - switch( (global_scope())[i] ) { + for( i = 0, len = 0; *(lp_netbios_scope()) != '\0'; i++, len++ ) { + switch( (lp_netbios_scope())[i] ) { case '\0': p[0] = len; if( len > 0 ) @@ -1309,7 +1309,7 @@ char *name_mangle(TALLOC_CTX *mem_ctx, const char *In, char name_type) len = -1; break; default: - p[len+1] = (global_scope())[i]; + p[len+1] = (lp_netbios_scope())[i]; break; } } -- cgit