From 3a836c3ee44e9abc5b5028bf6286628981bf0f99 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 23 Jul 2007 14:36:54 +0000 Subject: r24006: Some more paranoia in reply_negprot Some hosts see the smb_bufrem(req->inbuf, p) as an unsigned int. And as the p += strlen(p) + 2 went one beyond the buffer, this was a very large positive. Also take the chance to add one more consistency check. (This used to be commit 3673707f9f1a3ba29966ac7cf744e2b6462c8dde) --- source3/smbd/negprot.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source3/smbd/negprot.c') diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 61be2e8f9a..7602490c2d 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -533,7 +533,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req) return; } - p = smb_buf(req->inbuf)+1; + p = smb_buf(req->inbuf); num_cliprotos = 0; cliprotos = NULL; @@ -541,6 +541,16 @@ void reply_negprot(connection_struct *conn, struct smb_request *req) while (smb_bufrem(req->inbuf, p) > 0) { char **tmp; + if (p[0] != 0x02) { + DEBUG(3, ("Invalid string specifier %x, expected " + "0x02\n", (int)p[0])); + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBnegprot); + return; + } + + p += 1; /* Skip the "0x02" */ + tmp = TALLOC_REALLOC_ARRAY(tmp_talloc_ctx(), cliprotos, char *, num_cliprotos+1); if (tmp == NULL) { @@ -566,7 +576,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req) cliprotos[num_cliprotos])); num_cliprotos += 1; - p += strlen(p) + 2; + p += strlen(p) + 1; } for (i=0; i