From 42c87fe6e6036a56b178183b034275321949050d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Nov 2007 13:24:14 -0800 Subject: Remove pstrings. Ensure we validate offsets. Jeremy. (This used to be commit ff06cc34e66a18ba71dd54f6c78b05a45b9f2d85) --- source3/libsmb/clilist.c | 196 +++++++++++++++++++++++++++++++---------------- 1 file changed, 132 insertions(+), 64 deletions(-) (limited to 'source3/libsmb') diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index fd0c380409..64cb3e8fe3 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -1,18 +1,18 @@ -/* +/* Unix SMB/CIFS implementation. client directory list routines Copyright (C) Andrew Tridgell 1994-1998 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -21,6 +21,22 @@ extern file_info def_finfo; +/**************************************************************************** + Calculate a safe next_entry_offset. +****************************************************************************/ + +static size_t calc_next_entry_offset(const char *base, const char *pdata_end) +{ + size_t next_entry_offset = (size_t)IVAL(base,0); + + if (next_entry_offset == 0 || + base + next_entry_offset < base || + base + next_entry_offset > pdata_end) { + next_entry_offset = pdata_end - base; + } + return next_entry_offset; +} + /**************************************************************************** Interpret a long filename structure - this is mostly guesses at the moment. The length of the structure is returned @@ -28,12 +44,19 @@ extern file_info def_finfo; by NT and 2 is used by OS/2 ****************************************************************************/ -static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,file_info *finfo, - uint32 *p_resume_key, DATA_BLOB *p_last_name_raw, uint32 *p_last_name_raw_len) +static size_t interpret_long_filename(struct cli_state *cli, + int level, + const char *p, + const char *pdata_end, + file_info *finfo, + uint32 *p_resume_key, + DATA_BLOB *p_last_name_raw) { file_info finfo2; int len; - char *base = p; + const char *base = p; + + data_blob_free(p_last_name_raw); if (!finfo) { finfo = &finfo2; @@ -49,6 +72,9 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f case 1: /* OS/2 understands this */ /* these dates are converted to GMT by make_unix_date */ + if (pdata_end - base < 27) { + return pdata_end - base; + } finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4)); finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8)); finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12)); @@ -57,19 +83,25 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f len = CVAL(p, 26); p += 27; p += clistr_align_in(cli, p, 0); + if (p + len + 2 > pdata_end) { + return pdata_end - base; + } /* the len+2 below looks strange but it is important to cope with the differences between win2000 and win9x for this call (tridge) */ p += clistr_pull(cli, finfo->name, p, sizeof(finfo->name), - len+2, + len+2, STR_TERMINATE); return PTR_DIFF(p, base); case 2: /* this is what OS/2 uses mostly */ /* these dates are converted to GMT by make_unix_date */ + if (pdata_end - base < 31) { + return pdata_end - base; + } finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4)); finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8)); finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12)); @@ -78,22 +110,30 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f len = CVAL(p, 30); p += 31; /* check for unisys! */ + if (p + len + 1 > pdata_end) { + return pdata_end - base; + } p += clistr_pull(cli, finfo->name, p, sizeof(finfo->name), - len, + len, STR_NOALIGN); return PTR_DIFF(p, base) + 1; - + case 260: /* NT uses this, but also accepts 2 */ { size_t namelen, slen; + + if (pdata_end - base < 94) { + return pdata_end - base; + } + p += 4; /* next entry offset */ if (p_resume_key) { *p_resume_key = IVAL(p,0); } p += 4; /* fileindex */ - + /* Offset zero is "create time", not "change time". */ p += 8; finfo->atime_ts = interpret_long_date(p); @@ -111,7 +151,11 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f p += 4; p += 4; /* EA size */ slen = SVAL(p, 0); - p += 2; + if (slen > 24) { + /* Bad short name length. */ + return pdata_end - base; + } + p += 2; { /* stupid NT bugs. grr */ int flags = 0; @@ -120,7 +164,10 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f sizeof(finfo->short_name), slen, flags); } - p += 24; /* short name? */ + p += 24; /* short name? */ + if (p + namelen < p || p + namelen > pdata_end) { + return pdata_end - base; + } clistr_pull(cli, finfo->name, p, sizeof(finfo->name), namelen, 0); @@ -130,29 +177,24 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f Namelen doesn't include the terminating unicode null, so copy it here. */ - if (p_last_name_raw && p_last_name_raw_len) { - if (namelen + 2 > p_last_name_raw->length) { - memset(p_last_name_raw->data, '\0', sizeof(p_last_name_raw->length)); - *p_last_name_raw_len = 0; - } else { - memcpy(p_last_name_raw->data, p, namelen); - SSVAL(p_last_name_raw->data, namelen, 0); - *p_last_name_raw_len = namelen + 2; - } + if (p_last_name_raw) { + *p_last_name_raw = data_blob(NULL, namelen+2); + memcpy(p_last_name_raw->data, p, namelen); + SSVAL(p_last_name_raw->data, namelen, 0); } - return (size_t)IVAL(base, 0); + return calc_next_entry_offset(base, pdata_end); } } - + DEBUG(1,("Unknown long filename format %d\n",level)); - return (size_t)IVAL(base,0); + return calc_next_entry_offset(base, pdata_end); } /**************************************************************************** Do a directory listing, calling fn on each file found. ****************************************************************************/ -int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, +int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, void (*fn)(const char *, file_info *, const char *, void *), void *state) { #if 1 @@ -161,8 +203,8 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, int max_matches = 512; #endif int info_level; - char *p, *p2; - pstring mask; + char *p, *p2, *rdata_end; + char *mask = NULL; file_info finfo; int i; char *dirlist = NULL; @@ -174,19 +216,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, int ff_dir_handle=0; int loop_count = 0; char *rparam=NULL, *rdata=NULL; - unsigned int param_len, data_len; + unsigned int param_len, data_len; uint16 setup; - pstring param; + char param[1024]; const char *mnt; uint32 resume_key = 0; - uint32 last_name_raw_len = 0; - DATA_BLOB last_name_raw = data_blob(NULL, 2*sizeof(pstring)); + DATA_BLOB last_name_raw = data_blob(NULL, 0); /* NT uses 260, OS/2 uses 2. Both accept 1. */ info_level = (cli->capabilities&CAP_NT_SMBS)?260:1; - - pstrcpy(mask,Mask); - + + mask = SMB_STRDUP(Mask); + if (!mask) { + return -1; + } + while (ff_eos == 0) { loop_count++; if (loop_count > 200) { @@ -199,16 +243,16 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, SSVAL(param,0,attribute); /* attribute */ SSVAL(param,2,max_matches); /* max count */ SSVAL(param,4,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */ - SSVAL(param,6,info_level); + SSVAL(param,6,info_level); SIVAL(param,8,0); p = param+12; - p += clistr_push(cli, param+12, mask, sizeof(param)-12, + p += clistr_push(cli, param+12, mask, sizeof(param)-12, STR_TERMINATE); } else { setup = TRANSACT2_FINDNEXT; SSVAL(param,0,ff_dir_handle); SSVAL(param,2,max_matches); /* max count */ - SSVAL(param,4,info_level); + SSVAL(param,4,info_level); /* For W2K servers serving out FAT filesystems we *must* set the resume key. If it's not FAT then it's returned as zero. */ SIVAL(param,6,resume_key); /* ff_resume_key */ @@ -216,9 +260,9 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, can miss filenames. Use last filename continue instead. JRA */ SSVAL(param,10,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */ p = param+12; - if (last_name_raw_len && (last_name_raw_len < (sizeof(param)-12))) { - memcpy(p, last_name_raw.data, last_name_raw_len); - p += last_name_raw_len; + if (last_name_raw.length && (last_name_raw.length < (sizeof(param)-12))) { + memcpy(p, last_name_raw.data, last_name_raw.length); + p += last_name_raw.length; } else { p += clistr_push(cli, param+12, mask, sizeof(param)-12, STR_TERMINATE); } @@ -226,12 +270,12 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, param_len = PTR_DIFF(p, param); - if (!cli_send_trans(cli, SMBtrans2, + if (!cli_send_trans(cli, SMBtrans2, NULL, /* Name */ -1, 0, /* fid, flags */ &setup, 1, 0, /* setup, length, max */ param, param_len, 10, /* param, length, max */ - NULL, 0, + NULL, 0, #if 0 /* w2k value. */ MIN(16384,cli->max_xmit) /* data, length, max. */ @@ -242,7 +286,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, break; } - if (!cli_receive_trans(cli, SMBtrans2, + if (!cli_receive_trans(cli, SMBtrans2, &rparam, ¶m_len, &rdata, &data_len) && cli_is_dos_error(cli)) { @@ -289,15 +333,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, /* point to the data bytes */ p = rdata; + rdata_end = rdata + data_len; /* we might need the lastname for continuations */ - for (p2=p,i=0;i 0) { - pstrcpy(mask, finfo.name); + mask = SMB_STRDUP(finfo.name); } else { - pstrcpy(mask,""); + mask = SMB_STRDUP(""); + } + if (!mask) { + SAFE_FREE(rdata); + SAFE_FREE(rparam); + break; } /* grab the data for later use */ @@ -348,9 +404,15 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, total_received = -1; } else { /* no connection problem. let user function add each entry */ + rdata_end = dirlist + dirlist_len; for (p=dirlist,i=0;icli = cli; finfo->mode = CVAL(p,21); - + /* this date is converted to GMT by make_unix_date */ finfo->ctime_ts.tv_sec = cli_make_unix_date(cli, p+22); finfo->ctime_ts.tv_nsec = 0; @@ -396,7 +459,7 @@ static int interpret_short_filename(struct cli_state *cli, char *p,file_info *fi but should otherwise not be used. ****************************************************************************/ -int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, +int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, void (*fn)(const char *, file_info *, const char *, void *), void *state) { char *p; @@ -407,12 +470,15 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, int num_received = 0; int i; char *dirlist = NULL; - pstring mask; - + char *mask = NULL; + ZERO_ARRAY(status); - pstrcpy(mask,Mask); - + mask = SMB_STRDUP(Mask); + if (!mask) { + return -1; + } + while (1) { memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); @@ -426,10 +492,10 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, SSVAL(cli->outbuf,smb_vwv0,num_asked); SSVAL(cli->outbuf,smb_vwv1,attribute); - + p = smb_buf(cli->outbuf); *p++ = 4; - + p += clistr_push(cli, p, first?mask:"", -1, STR_TERMINATE); *p++ = 5; if (first) { @@ -455,6 +521,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, dirlist,(num_received + received)*DIR_STRUCT_SIZE); if (!dirlist) { DEBUG(0,("cli_list_old: failed to expand dirlist")); + SAFE_FREE(mask); return 0; } @@ -462,11 +529,11 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, memcpy(dirlist+num_received*DIR_STRUCT_SIZE, p,received*DIR_STRUCT_SIZE); - + memcpy(status,p + ((received-1)*DIR_STRUCT_SIZE),21); - + num_received += received; - + if (cli_is_error(cli)) break; } @@ -491,7 +558,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, p += 2; memcpy(p,status,21); p += 21; - + cli_setup_bcc(cli, p); cli_send_smb(cli); if (!cli_receive_smb(cli)) { @@ -505,6 +572,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, fn("\\", &finfo, Mask, state); } + SAFE_FREE(mask); SAFE_FREE(dirlist); return(num_received); } @@ -514,7 +582,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute, This auto-switches between old and new style. ****************************************************************************/ -int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute, +int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute, void (*fn)(const char *, file_info *, const char *, void *), void *state) { if (cli->protocol <= PROTOCOL_LANMAN1) -- cgit