From 17fc19fe31c949a3cf6a95460eb6b4be5a147743 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Jul 2002 10:07:47 +0000 Subject: Update the smbd reply code a little: I don't like the idea of muliple netprots - becouse I see potential problems with people being able to maniplate internal samba variables. This applies in particular to remote names, so don't allow muliple session requests either. Also remove a pstrcpy() from the tcon code, we really don't need it. Andrew Bartlett (This used to be commit 2afa291404cfd8dae11120e5e470c38ba067c4b2) --- source3/smbd/negprot.c | 9 +++++++++ source3/smbd/reply.c | 21 ++++++++++++++++----- 2 files changed, 25 insertions(+), 5 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 81c2427a00..abe44aac8c 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -412,8 +412,17 @@ int reply_negprot(connection_struct *conn, char *p; int bcc = SVAL(smb_buf(inbuf),-2); int arch = ARCH_ALL; + + static BOOL done_negprot = False; + START_PROFILE(SMBnegprot); + if (done_negprot) { + END_PROFILE(SMBnegprot); + exit_server("multiple negprot's are not permitted"); + } + done_negprot = True; + p = smb_buf(inbuf)+1; while (p < (smb_buf(inbuf) + bcc)) { Index++; diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 8f666910a5..813b9f39f8 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -57,6 +57,8 @@ int reply_special(char *inbuf,char *outbuf) int len; char name_type = 0; + static BOOL already_got_session = False; + *name1 = *name2 = 0; memset(outbuf,'\0',smb_size); @@ -65,6 +67,11 @@ int reply_special(char *inbuf,char *outbuf) switch (msg_type) { case 0x81: /* session request */ + + if (already_got_session) { + exit_server("multiple session request not permitted"); + } + SCVAL(outbuf,0,0x82); SCVAL(outbuf,3,0); if (name_len(inbuf+4) > 50 || @@ -115,6 +122,7 @@ int reply_special(char *inbuf,char *outbuf) claim_connection(NULL,"",MAXSTATUS,True); + already_got_session = True; break; case 0x89: /* session keepalive request @@ -148,7 +156,8 @@ int reply_special(char *inbuf,char *outbuf) int reply_tcon(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, int dum_buffsize) { - pstring service; + char *service; + pstring service_buf; pstring password; pstring dev; int outsize = 0; @@ -160,17 +169,19 @@ int reply_tcon(connection_struct *conn, START_PROFILE(SMBtcon); - *service = *password = *dev = 0; + *service_buf = *password = *dev = 0; p = smb_buf(inbuf)+1; - p += srvstr_pull_buf(inbuf, service, p, sizeof(service), STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, service_buf, p, sizeof(service), STR_TERMINATE) + 1; pwlen = srvstr_pull_buf(inbuf, password, p, sizeof(password), STR_TERMINATE) + 1; p += pwlen; p += srvstr_pull_buf(inbuf, dev, p, sizeof(dev), STR_TERMINATE) + 1; - p = strrchr_m(service,'\\'); + p = strrchr_m(service_buf,'\\'); if (p) { - pstrcpy(service, p+1); + service = p+1; + } else { + service = service_buf; } password_blob = data_blob(password, pwlen+1); -- cgit