From 261c004d7bf85de945a1a3956c1d8f15075bc224 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 30 Mar 2007 22:25:08 +0000
Subject: r22014: Make us pass RANDOMIPC test again :-(. This is an ugly
 check-in, but I've no option. Jeremy. (This used to be commit
 c3a565081d70b209a4f9e6e8f1859bf7194a5f74)

---
 source3/nmbd/nmbd_browsesync.c     |  2 +-
 source3/nmbd/nmbd_elections.c      |  2 +-
 source3/nmbd/nmbd_incomingdgrams.c | 18 ++++++++++++------
 source3/nmbd/nmbd_packets.c        |  6 +++---
 source3/nmbd/nmbd_processlogon.c   | 38 +++++++++++++++++++-------------------
 source3/nmbd/nmbd_sendannounce.c   |  2 +-
 6 files changed, 37 insertions(+), 31 deletions(-)

(limited to 'source3/nmbd')

diff --git a/source3/nmbd/nmbd_browsesync.c b/source3/nmbd/nmbd_browsesync.c
index 9535a3115a..ddb223de9f 100644
--- a/source3/nmbd/nmbd_browsesync.c
+++ b/source3/nmbd/nmbd_browsesync.c
@@ -125,7 +125,7 @@ static void announce_local_master_browser_to_domain_master_browser( struct work_
 	/* The call below does CH_UNIX -> CH_DOS conversion. JRA */
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	if( DEBUGLVL( 4 ) ) {
 		dbgtext( "announce_local_master_browser_to_domain_master_browser:\n" );
diff --git a/source3/nmbd/nmbd_elections.c b/source3/nmbd/nmbd_elections.c
index 3aadd70b83..fbdb6c4524 100644
--- a/source3/nmbd/nmbd_elections.c
+++ b/source3/nmbd/nmbd_elections.c
@@ -53,7 +53,7 @@ static void send_election_dgram(struct subnet_record *subrec, const char *workgr
 	strupper_m(srv_name);
 	/* The following call does UNIX -> DOS charset conversion. */
 	pstrcpy_base(p, srv_name, outbuf);
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
   
 	send_mailslot(False, BROWSE_MAILSLOT, outbuf, PTR_DIFF(p,outbuf),
 		global_myname(), 0,
diff --git a/source3/nmbd/nmbd_incomingdgrams.c b/source3/nmbd/nmbd_incomingdgrams.c
index 880700c72c..616b5df9db 100644
--- a/source3/nmbd/nmbd_incomingdgrams.c
+++ b/source3/nmbd/nmbd_incomingdgrams.c
@@ -416,7 +416,7 @@ done:
   Process an incoming LanMan host announcement packet.
 *******************************************************************/
 
-void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
 {
 	struct dgram_packet *dgram = &p->packet.dgram;
 	uint32 servertype = IVAL(buf,1);
@@ -429,10 +429,16 @@ void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct
 	unstring work_name;
 	unstring source_name;
 	fstring comment;
-	char *s = buf+9;
+	char *s = get_safe_offset(buf,len,buf,9);
 
+	if (!s) {
+		return;
+	}
 	START_PROFILE(lm_host_announce);
-	s = skip_string(s,1);
+	s = skip_string(buf,len,s,1);
+	if (!s) {
+		return;
+	}
 	pull_ascii(comment, s, sizeof(fstring), 43, STR_TERMINATE);
 
 	pull_ascii_nstring(announce_name,sizeof(announce_name),buf+9);
@@ -568,7 +574,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
 	myname[15]='\0';
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	/* Look for backup browsers in this workgroup. */
 
@@ -604,7 +610,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
     DEBUG(5,("send_backup_list_response: Adding server %s number %d\n",
               p, count));
 
-    p = skip_string(p,1);
+    p = skip_string(outbuf,sizeof(outbuf),p,1);
   }
 #endif
 
@@ -809,7 +815,7 @@ done:
   through the "lm announce" parameter in smb.conf)
 ******************************************************************/
 
-void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
 {
 	struct dgram_packet *dgram = &p->packet.dgram;
 	unstring workgroup_name;
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index 89362392fe..5ec6be1307 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1153,10 +1153,10 @@ mismatch with our scope (%s).\n", inet_ntoa(p->ip), scope, global_scope()));
 	switch (command) {
 		case ANN_HostAnnouncement:
 			debug_browse_data(buf, len);
-			process_lm_host_announce(subrec, p, buf+1);
+			process_lm_host_announce(subrec, p, buf+1, len > 1 ? len-1 : 0);
 			break;
 		case ANN_AnnouncementRequest:
-			process_lm_announce_request(subrec, p, buf+1);
+			process_lm_announce_request(subrec, p, buf+1, len > 1 ? len-1 : 0);
 			break;
 		default:
 			DEBUG(0,("process_lanman_packet: On subnet %s ignoring browse packet \
@@ -1899,7 +1899,7 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
 	SSVAL(ptr,smb_vwv16,2);
 	p2 = smb_buf(ptr);
 	safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
-	p2 = skip_string(p2,1);
+	p2 = skip_string(ptr,MAX_DGRAM_SIZE,p2,1);
   
 	if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
 		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c
index 232f430b66..6b10d61267 100644
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -91,7 +91,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 
 	pstrcpy(my_name, global_myname());
 
-	code = SVAL(buf,0);
+	code = get_safe_offset(buf,len,buf,2) ? SVAL(buf,0) : -1;
 	DEBUG(4,("process_logon_packet: Logon from %s: code = 0x%x\n", inet_ntoa(p->ip), code));
 
 	switch (code) {
@@ -100,21 +100,21 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 				fstring mach_str, user_str, getdc_str;
 				char *q = buf + 2;
 				char *machine = q;
-				char *user = skip_string(machine,1);
+				char *user = skip_string(buf,len,machine,1);
 
-				if (PTR_DIFF(user, buf) >= len) {
+				if (!user || PTR_DIFF(user, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				getdc = skip_string(user,1);
+				getdc = skip_string(buf,len,user,1);
 
-				if (PTR_DIFF(getdc, buf) >= len) {
+				if (!getdc || PTR_DIFF(getdc, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q + 5, buf) > len) {
+				if (!q || PTR_DIFF(q + 5, buf) > len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -136,7 +136,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 				fstrcpy(reply_name, "\\\\");
 				fstrcat(reply_name, my_name);
 				push_ascii_fstring(q, reply_name);
-				q = skip_string(q, 1); /* PDC name */
+				q = skip_string(outbuf,sizeof(outbuf),q, 1); /* PDC name */
 
 				SSVAL(q, 0, token);
 				q += 2;
@@ -164,15 +164,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 					return;
 				}
 
-				getdc = skip_string(machine,1);
+				getdc = skip_string(buf,len,machine,1);
 
-				if (PTR_DIFF(getdc, buf) >= len) {
+				if (!getdc || PTR_DIFF(getdc, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -232,7 +232,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 
 				fstrcpy(reply_name,my_name);
 				push_ascii_fstring(q, reply_name);
-				q = skip_string(q, 1); /* PDC name */
+				q = skip_string(outbuf,sizeof(outbuf),q, 1); /* PDC name */
 
 				/* PDC and domain name */
 				if (!short_request) {
@@ -301,9 +301,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					return;
 				}
 
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q + 8, buf) >= len) {
+				if (!q || PTR_DIFF(q + 8, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -540,16 +540,16 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
           
 				/* Domain info */
           
-				q = skip_string(q, 1);    /* PDC name */
+				q = skip_string(buf,len,q, 1);    /* PDC name */
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
 
-				q = skip_string(q, 1);    /* Domain name */
+				q = skip_string(buf,len,q, 1);    /* Domain name */
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
diff --git a/source3/nmbd/nmbd_sendannounce.c b/source3/nmbd/nmbd_sendannounce.c
index 7fcedc557e..0cd481649d 100644
--- a/source3/nmbd/nmbd_sendannounce.c
+++ b/source3/nmbd/nmbd_sendannounce.c
@@ -566,7 +566,7 @@ for workgroup %s on subnet %s.\n", lp_workgroup(), FIRST_SUBNET->subnet_name ));
 	myname[15]='\0';
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	for (ptr=s; next_token(&ptr,s2,NULL,sizeof(s2)); ) {
 		/* The entries are of the form a.b.c.d */
-- 
cgit