svn commit: samba r21478 - in branches: SAMBA_3_0/source/smbd
SAMBA_3_0_25/source/smbd
jra at samba.org
jra at samba.org
Tue Feb 20 23:56:47 GMT 2007
Author: jra
Date: 2007-02-20 23:56:46 +0000 (Tue, 20 Feb 2007)
New Revision: 21478
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21478
Log:
Add 65k length limit for split SPNEGO blobs.
Jeremy
Modified:
branches/SAMBA_3_0/source/smbd/sesssetup.c
branches/SAMBA_3_0_25/source/smbd/sesssetup.c
Changeset:
Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/sesssetup.c 2007-02-20 23:19:46 UTC (rev 21477)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c 2007-02-20 23:56:46 UTC (rev 21478)
@@ -693,7 +693,7 @@
/****************************************************************************
Check the size of an SPNEGO blob. If we need more return NT_STATUS_MORE_PROCESSING_REQUIRED,
- else return NT_STATUS_OK.
+ else return NT_STATUS_OK. Don't allow the blob to be more than 64k.
****************************************************************************/
static NTSTATUS check_spnego_blob_complete(uint16 smbpid, uint16 vuid, DATA_BLOB *pblob)
@@ -715,17 +715,18 @@
/* Were we waiting for more data ? */
if (pad) {
DATA_BLOB tmp_blob;
+ size_t copy_len = MIN(65536, pblob->length);
/* Integer wrap paranoia.... */
- if (pad->partial_data.length + pblob->length < pad->partial_data.length ||
- pad->partial_data.length + pblob->length < pblob->length) {
+ if (pad->partial_data.length + copy_len < pad->partial_data.length ||
+ pad->partial_data.length + copy_len < copy_len) {
DEBUG(2,("check_spnego_blob_complete: integer wrap "
"pad->partial_data.length = %u, "
- "pblob->length = %u\n",
+ "copy_len = %u\n",
(unsigned int)pad->partial_data.length,
- (unsigned int)pblob->length ));
+ (unsigned int)copy_len ));
delete_partial_auth(pad);
return NT_STATUS_INVALID_PARAMETER;
@@ -734,21 +735,23 @@
DEBUG(10,("check_spnego_blob_complete: "
"pad->partial_data.length = %u, "
"pad->needed_len = %u, "
+ "copy_len = %u, "
"pblob->length = %u,\n",
(unsigned int)pad->partial_data.length,
(unsigned int)pad->needed_len,
+ (unsigned int)copy_len,
(unsigned int)pblob->length ));
tmp_blob = data_blob(NULL,
- pad->partial_data.length + pblob->length);
+ pad->partial_data.length + copy_len);
- /* Concatenate the two. */
+ /* Concatenate the two (up to copy_len) bytes. */
memcpy(tmp_blob.data,
pad->partial_data.data,
pad->partial_data.length);
memcpy(tmp_blob.data + pad->partial_data.length,
pblob->data,
- pblob->length);
+ copy_len);
/* Replace the partial data. */
data_blob_free(&pad->partial_data);
@@ -766,7 +769,7 @@
}
/* Still need more data. */
- pad->needed_len -= pblob->length;
+ pad->needed_len -= copy_len;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
@@ -821,6 +824,13 @@
return NT_STATUS_OK;
}
+ /* Refuse the blob if it's bigger than 64k. */
+ if (needed_len > 65536) {
+ DEBUG(2,("check_spnego_blob_complete: needed_len too large (%u)\n",
+ (unsigned int)needed_len ));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* We must store this blob until complete. */
pad = SMB_MALLOC(sizeof(struct pending_auth_data));
if (!pad) {
Modified: branches/SAMBA_3_0_25/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0_25/source/smbd/sesssetup.c 2007-02-20 23:19:46 UTC (rev 21477)
+++ branches/SAMBA_3_0_25/source/smbd/sesssetup.c 2007-02-20 23:56:46 UTC (rev 21478)
@@ -693,7 +693,7 @@
/****************************************************************************
Check the size of an SPNEGO blob. If we need more return NT_STATUS_MORE_PROCESSING_REQUIRED,
- else return NT_STATUS_OK.
+ else return NT_STATUS_OK. Don't allow the blob to be more than 64k.
****************************************************************************/
static NTSTATUS check_spnego_blob_complete(uint16 smbpid, uint16 vuid, DATA_BLOB *pblob)
@@ -715,17 +715,18 @@
/* Were we waiting for more data ? */
if (pad) {
DATA_BLOB tmp_blob;
+ size_t copy_len = MIN(65536, pblob->length);
/* Integer wrap paranoia.... */
- if (pad->partial_data.length + pblob->length < pad->partial_data.length ||
- pad->partial_data.length + pblob->length < pblob->length) {
+ if (pad->partial_data.length + copy_len < pad->partial_data.length ||
+ pad->partial_data.length + copy_len < copy_len) {
DEBUG(2,("check_spnego_blob_complete: integer wrap "
"pad->partial_data.length = %u, "
- "pblob->length = %u\n",
+ "copy_len = %u\n",
(unsigned int)pad->partial_data.length,
- (unsigned int)pblob->length ));
+ (unsigned int)copy_len ));
delete_partial_auth(pad);
return NT_STATUS_INVALID_PARAMETER;
@@ -734,21 +735,23 @@
DEBUG(10,("check_spnego_blob_complete: "
"pad->partial_data.length = %u, "
"pad->needed_len = %u, "
+ "copy_len = %u, "
"pblob->length = %u,\n",
(unsigned int)pad->partial_data.length,
(unsigned int)pad->needed_len,
+ (unsigned int)copy_len,
(unsigned int)pblob->length ));
tmp_blob = data_blob(NULL,
- pad->partial_data.length + pblob->length);
+ pad->partial_data.length + copy_len);
- /* Concatenate the two. */
+ /* Concatenate the two (up to copy_len) bytes. */
memcpy(tmp_blob.data,
pad->partial_data.data,
pad->partial_data.length);
memcpy(tmp_blob.data + pad->partial_data.length,
pblob->data,
- pblob->length);
+ copy_len);
/* Replace the partial data. */
data_blob_free(&pad->partial_data);
@@ -766,7 +769,7 @@
}
/* Still need more data. */
- pad->needed_len -= pblob->length;
+ pad->needed_len -= copy_len;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
@@ -821,6 +824,13 @@
return NT_STATUS_OK;
}
+ /* Refuse the blob if it's bigger than 64k. */
+ if (needed_len > 65536) {
+ DEBUG(2,("check_spnego_blob_complete: needed_len too large (%u)\n",
+ (unsigned int)needed_len ));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* We must store this blob until complete. */
pad = SMB_MALLOC(sizeof(struct pending_auth_data));
if (!pad) {
More information about the samba-cvs
mailing list