[Samba] (samba ~ shlight): negprot protocols not 0-terminated

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Nov 29 05:26:43 MST 2009 

On Sun, Nov 29, 2009 at 01:22:08PM +0100, Volker Lendecke wrote:
> I've also attached a (completely untested) patch to Sharity
> light. Maybe you want to give that also a test and try to
> get that through the Sharity people and/or the OpenBSD
> package process.

For reference, mailman has killed the attachments:

From dacb0472270ac85c436f64a52ef8cb1bfcc8ee48 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Nov 2009 13:18:54 +0100
Subject: [PATCH] Correct the netbios header lenght calculation

The indicated netbios session packet header does not include the length itself.
---
 proc.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/proc.c b/proc.c
index 399ca9d..291ace0 100644
--- a/proc.c
+++ b/proc.c
@@ -489,7 +489,7 @@ smb_setup_header(struct smb_server *server, byte command, word wct, word bcc)
         byte *p = server->packet;
         byte *buf = server->packet;
 
-        p = smb_encode_smb_length(p, xmit_len);
+        p = smb_encode_smb_length(p, xmit_len - 4);
 
         BSET(p,0,0xff);
         BSET(p,1,'S');
@@ -1728,7 +1728,7 @@ smb_proc_reconnect(struct smb_server *server)
         p = smb_name_mangle(p, server->m.client_name);
         
         smb_encode_smb_length(server->packet,
-                              (byte *)p - (byte *)(server->packet));
+                              (byte *)p - (byte *)(server->packet) - 4);
         
         server->packet[0] = 0x81; /* SESSION REQUEST */
 
-- 
1.6.0.4



From 10534d50cda9944ac5e0e5b15204b2f6ccd88d4f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Nov 2009 13:00:55 +0100
Subject: [PATCH] s3: In negprot, check for 0-termination via bcc, not smb packet length

---
 source/smbd/negprot.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c
index 9f56949..8b8f891 100644
--- a/source/smbd/negprot.c
+++ b/source/smbd/negprot.c
@@ -507,7 +507,7 @@ static const struct {
 
 void reply_negprot(struct smb_request *req)
 {
-	size_t size = smb_len(req->inbuf) + 4;
+	size_t size = smb_buflen(req->inbuf);
 	int choice= -1;
 	int protocol;
 	char *p;
-- 
1.6.0.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20091129/9e131399/attachment.pgp>

More information about the samba mailing list