svn commit: samba r24006 - in branches/SAMBA_3_2/source/smbd: .

Mon Jul 23 14:36:55 GMT 2007

Author: vlendec
Date: 2007-07-23 14:36:54 +0000 (Mon, 23 Jul 2007)
New Revision: 24006

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24006

Log:
Some more paranoia in reply_negprot

Some hosts see the smb_bufrem(req->inbuf, p) as an unsigned int. And as
the p += strlen(p) + 2 went one beyond the buffer, this was a very
large positive. Also take the chance to add one more consistency check.

Modified:
   branches/SAMBA_3_2/source/smbd/negprot.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/negprot.c
===================================================================

--- branches/SAMBA_3_2/source/smbd/negprot.c	2007-07-23 13:47:17 UTC (rev 24005)
+++ branches/SAMBA_3_2/source/smbd/negprot.c	2007-07-23 14:36:54 UTC (rev 24006)
@@ -533,7 +533,7 @@
 		return;
 	}
 
-	p = smb_buf(req->inbuf)+1;
+	p = smb_buf(req->inbuf);
 
 	num_cliprotos = 0;
 	cliprotos = NULL;
@@ -541,6 +541,16 @@
 	while (smb_bufrem(req->inbuf, p) > 0) {
 		char **tmp;
 
+		if (p[0] != 0x02) {
+			DEBUG(3, ("Invalid string specifier %x, expected "
+				  "0x02\n", (int)p[0]));
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			END_PROFILE(SMBnegprot);
+			return;
+		}
+
+		p += 1; /* Skip the "0x02" */
+
 		tmp = TALLOC_REALLOC_ARRAY(tmp_talloc_ctx(), cliprotos, char *,
 					   num_cliprotos+1);
 		if (tmp == NULL) {
@@ -566,7 +576,7 @@
 			  cliprotos[num_cliprotos]));
 
 		num_cliprotos += 1;
-		p += strlen(p) + 2;
+		p += strlen(p) + 1;
 	}
 
 	for (i=0; i<num_cliprotos; i++) {

