From 50e9b88dff56e70ad03eb104cb151fe21112b984 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 18 Mar 2003 11:56:56 +0000 Subject: NMBD string parinoia and memcpy() parinoia fixes from HEAD. Andrew Bartlett (This used to be commit fb29caddd987f94989f852584b912eeee45b50da) --- source3/nmbd/nmbd_become_lmb.c | 6 +++--- source3/nmbd/nmbd_browsesync.c | 4 ++-- source3/nmbd/nmbd_packets.c | 15 ++++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) (limited to 'source3/nmbd') diff --git a/source3/nmbd/nmbd_become_lmb.c b/source3/nmbd/nmbd_become_lmb.c index bac5589566..6f8e7efb1a 100644 --- a/source3/nmbd/nmbd_become_lmb.c +++ b/source3/nmbd/nmbd_become_lmb.c @@ -207,7 +207,7 @@ static void release_1d_name( struct subnet_record *subrec, char *workgroup_name, if((namerec = find_name_on_subnet( subrec, &nmbname, FIND_SELF_NAME))!=NULL) { struct userdata_struct *userdata; - int size = sizeof(struct userdata_struct) + sizeof(BOOL); + size_t size = sizeof(struct userdata_struct) + sizeof(BOOL); if((userdata = (struct userdata_struct *)malloc(size)) == NULL) { @@ -518,7 +518,7 @@ workgroup %s on subnet %s. Couldn't register name %s.\n", void become_local_master_browser(struct subnet_record *subrec, struct work_record *work) { struct userdata_struct *userdata; - int size = sizeof(struct userdata_struct) + sizeof(fstring) + 1; + size_t size = sizeof(struct userdata_struct) + sizeof(fstring) + 1; /* Sanity check. */ if (!lp_local_master()) @@ -563,7 +563,7 @@ in workgroup %s on subnet %s\n", userdata->copy_fn = NULL; userdata->free_fn = NULL; userdata->userdata_len = strlen(work->work_group)+1; - fstrcpy(userdata->data, work->work_group); + overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1); /* Register the special browser group name. */ register_name(subrec, MSBROWSE, 0x01, samba_nb_type|NB_GROUP, diff --git a/source3/nmbd/nmbd_browsesync.c b/source3/nmbd/nmbd_browsesync.c index c363ed0d34..b9082ee1c3 100644 --- a/source3/nmbd/nmbd_browsesync.c +++ b/source3/nmbd/nmbd_browsesync.c @@ -288,7 +288,7 @@ static void find_domain_master_name_query_success(struct subnet_record *subrec, struct work_record *work; struct nmb_name nmbname; struct userdata_struct *userdata; - int size = sizeof(struct userdata_struct) + sizeof(fstring)+1; + size_t size = sizeof(struct userdata_struct) + sizeof(fstring)+1; if( !(work = find_workgroup_on_subnet(subrec, q_name->name)) ) { @@ -333,7 +333,7 @@ static void find_domain_master_name_query_success(struct subnet_record *subrec, userdata->copy_fn = NULL; userdata->free_fn = NULL; userdata->userdata_len = strlen(work->work_group)+1; - fstrcpy(userdata->data, work->work_group); + overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1); node_status( subrec, &nmbname, answer_ip, domain_master_node_status_success, diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index d83cd10d0c..6c3446d6c8 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1929,7 +1929,7 @@ BOOL listen_for_packets(BOOL run_election) /**************************************************************************** Construct and send a netbios DGRAM. **************************************************************************/ -BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len, +BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len, const char *srcname, int src_type, const char *dstname, int dest_type, struct in_addr dest_ip,struct in_addr src_ip, @@ -1979,11 +1979,16 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len, SSVAL(ptr,smb_vwv15,1); SSVAL(ptr,smb_vwv16,2); p2 = smb_buf(ptr); - pstrcpy(p2,mailslot); + safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data)); p2 = skip_string(p2,1); - - memcpy(p2,buf,len); - p2 += len; + + if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) { + DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n")); + return False; + } else { + memcpy(p2,buf,len); + p2 += len; + } dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */ -- cgit