[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha2-812-g309cf40
Andrew Tridgell
tridge at samba.org
Thu Feb 14 02:38:32 GMT 2008
The branch, v4-0-test has been updated
via 309cf408e01c36e2a12ed2d1462f2bbe407d4597 (commit)
via 9a139c35b7f1326616d26ce13bbdc7d6b22cd9b5 (commit)
via 52d7972d95ddc19d22a4187b4d4428a6c3ed32d5 (commit)
via ca6d9be6cb6a403a81b18fa6e9a6a0518d7f0f68 (commit)
from 92dbbc479032ae3d0cf4b2b9e64291128185cf9c (commit)
http://gitweb.samba.org/?samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 309cf408e01c36e2a12ed2d1462f2bbe407d4597
Merge: 9a139c35b7f1326616d26ce13bbdc7d6b22cd9b5 92dbbc479032ae3d0cf4b2b9e64291128185cf9c
Author: Andrew Tridgell <tridge at samba.org>
Date: Thu Feb 14 13:37:37 2008 +1100
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-test
commit 9a139c35b7f1326616d26ce13bbdc7d6b22cd9b5
Author: Andrew Tridgell <tridge at samba.org>
Date: Thu Feb 14 12:50:11 2008 +1100
we need to refuse a root_fid in rename on SMB but not SMB2
commit 52d7972d95ddc19d22a4187b4d4428a6c3ed32d5
Author: Andrew Tridgell <tridge at samba.org>
Date: Thu Feb 14 12:30:31 2008 +1100
Fixed SMB2 rename operations from Vista clients
We needed a flag in bufinfo to mark packets as SMB2, as it seems that
SMB2 uses a different format for the RenameInformation buffer than SMB
does
Also handle the fact that SMB2 clients give the full path to the
target file in the rename, not a relative path
commit ca6d9be6cb6a403a81b18fa6e9a6a0518d7f0f68
Author: Andrew Tridgell <tridge at samba.org>
Date: Thu Feb 14 10:12:33 2008 +1100
Convert SMB and SMB2 code to use a common buffer handling structure
This converts our SMB and SMB2 code to use a common structure "struct
request_bufinfo" for information on the buffer bounds of a packet,
alignment information and string handling. This allows us to use a
common backend for SMB and SMB2 code, while still using all the same
string and blob handling functions.
Up to now we had been passing a NULL req handle into these common
routines from the SMB2 side of the server, which meant that we failed
any operation which did a bounds checked string extraction (such as a
RenameInformation setinfo call, which is what Vista uses for renaming
files)
There is still some more work to be done on this - for example we can
now remove many of the SMB2 specific buffer handling functions that we
had, and use the SMB ones.
-----------------------------------------------------------------------
Summary of changes:
source/libcli/raw/clisession.c | 20 ++++----
source/libcli/raw/clitransport.c | 4 +-
source/libcli/raw/clitree.c | 6 +-
source/libcli/raw/interfaces.h | 2 +-
source/libcli/raw/libcliraw.h | 4 +-
source/libcli/raw/rawfile.c | 4 +-
source/libcli/raw/rawioctl.c | 2 +-
source/libcli/raw/rawnegotiate.c | 10 ++--
source/libcli/raw/rawreadwrite.c | 6 +-
source/libcli/raw/rawrequest.c | 53 ++++++++++++------
source/libcli/raw/rawsearch.c | 2 +-
source/libcli/raw/request.h | 19 ++++++-
source/libcli/raw/smb_signing.c | 6 +-
source/libcli/smb2/request.c | 15 +++++
source/libcli/smb2/smb2.h | 5 ++
source/libcli/smb2/transport.c | 2 +
source/ntvfs/posix/pvfs_setfileinfo.c | 41 +++++++++-----
source/smb_server/blob.c | 41 ++++++++------
source/smb_server/smb/negprot.c | 2 +-
source/smb_server/smb/nttrans.c | 6 +-
source/smb_server/smb/receive.c | 6 ++
source/smb_server/smb/reply.c | 94 ++++++++++++++++----------------
source/smb_server/smb/request.c | 64 ++++++++++++++---------
source/smb_server/smb/search.c | 12 ++--
source/smb_server/smb/trans2.c | 24 ++++----
source/smb_server/smb2/fileinfo.c | 2 +-
source/smb_server/smb2/negprot.c | 2 +
source/smb_server/smb2/receive.c | 20 +++++++
source/smb_server/smb2/tcon.c | 2 +
source/smb_server/smb_server.h | 4 +-
30 files changed, 300 insertions(+), 180 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/libcli/raw/clisession.c b/source/libcli/raw/clisession.c
index 617131c..55cb3ef 100644
--- a/source/libcli/raw/clisession.c
+++ b/source/libcli/raw/clisession.c
@@ -177,9 +177,9 @@ NTSTATUS smb_raw_sesssetup_recv(struct smbcli_request *req,
parms->old.out.action = SVAL(req->in.vwv, VWV(2));
p = req->in.data;
if (p) {
- p += smbcli_req_pull_string(req, mem_ctx, &parms->old.out.os, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->old.out.lanman, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->old.out.domain, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->old.out.os, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->old.out.lanman, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->old.out.domain, p, -1, STR_TERMINATE);
}
break;
@@ -190,10 +190,10 @@ NTSTATUS smb_raw_sesssetup_recv(struct smbcli_request *req,
parms->nt1.out.action = SVAL(req->in.vwv, VWV(2));
p = req->in.data;
if (p) {
- p += smbcli_req_pull_string(req, mem_ctx, &parms->nt1.out.os, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->nt1.out.lanman, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->nt1.out.os, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->nt1.out.lanman, p, -1, STR_TERMINATE);
if (p < (req->in.data + req->in.data_size)) {
- p += smbcli_req_pull_string(req, mem_ctx, &parms->nt1.out.domain, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->nt1.out.domain, p, -1, STR_TERMINATE);
}
}
break;
@@ -209,11 +209,11 @@ NTSTATUS smb_raw_sesssetup_recv(struct smbcli_request *req,
break;
}
- parms->spnego.out.secblob = smbcli_req_pull_blob(req, mem_ctx, p, len);
+ parms->spnego.out.secblob = smbcli_req_pull_blob(&req->in.bufinfo, mem_ctx, p, len);
p += parms->spnego.out.secblob.length;
- p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.os, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.lanman, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.workgroup, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->spnego.out.os, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->spnego.out.lanman, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->spnego.out.workgroup, p, -1, STR_TERMINATE);
break;
case RAW_SESSSETUP_SMB2:
diff --git a/source/libcli/raw/clitransport.c b/source/libcli/raw/clitransport.c
index 62c32d3..288f061 100644
--- a/source/libcli/raw/clitransport.c
+++ b/source/libcli/raw/clitransport.c
@@ -444,6 +444,8 @@ static NTSTATUS smbcli_transport_finish_recv(void *private, DATA_BLOB blob)
req->in.ptr = req->in.data;
req->flags2 = SVAL(req->in.hdr, HDR_FLG2);
+ smb_setup_bufinfo(req);
+
if (!(req->flags2 & FLAGS2_32_BIT_ERROR_CODES)) {
int class = CVAL(req->in.hdr,HDR_RCLS);
int code = SVAL(req->in.hdr,HDR_ERR);
@@ -637,7 +639,7 @@ NTSTATUS smb_raw_echo_recv(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
p->out.data = talloc_array(mem_ctx, uint8_t, p->out.size);
NT_STATUS_HAVE_NO_MEMORY(p->out.data);
- if (!smbcli_raw_pull_data(req, req->in.data, p->out.size, p->out.data)) {
+ if (!smbcli_raw_pull_data(&req->in.bufinfo, req->in.data, p->out.size, p->out.data)) {
req->status = NT_STATUS_BUFFER_TOO_SMALL;
}
diff --git a/source/libcli/raw/clitree.c b/source/libcli/raw/clitree.c
index 35f3335..507bde9 100644
--- a/source/libcli/raw/clitree.c
+++ b/source/libcli/raw/clitree.c
@@ -123,9 +123,9 @@ NTSTATUS smb_raw_tcon_recv(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
p = req->in.data;
if (!p) break;
- p += smbcli_req_pull_string(req, mem_ctx, &parms->tconx.out.dev_type,
- p, -1, STR_ASCII | STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->tconx.out.fs_type,
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->tconx.out.dev_type,
+ p, -1, STR_ASCII | STR_TERMINATE);
+ p += smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->tconx.out.fs_type,
p, -1, STR_TERMINATE);
break;
diff --git a/source/libcli/raw/interfaces.h b/source/libcli/raw/interfaces.h
index ce6323f..16db17d 100644
--- a/source/libcli/raw/interfaces.h
+++ b/source/libcli/raw/interfaces.h
@@ -1000,7 +1000,7 @@ union smb_setfileinfo {
struct {
union smb_handle_or_path file;
uint8_t overwrite;
- uint32_t root_fid;
+ uint64_t root_fid;
const char *new_name;
} in;
} rename_information;
diff --git a/source/libcli/raw/libcliraw.h b/source/libcli/raw/libcliraw.h
index 0032eb4..7111649 100644
--- a/source/libcli/raw/libcliraw.h
+++ b/source/libcli/raw/libcliraw.h
@@ -250,8 +250,8 @@ struct smbcli_request {
/* the mid of this packet - used to match replies */
uint16_t mid;
- struct request_buffer in;
- struct request_buffer out;
+ struct smb_request_buffer in;
+ struct smb_request_buffer out;
/* information on what to do with a reply when it is received
asyncronously. If this is not setup when a reply is received then
diff --git a/source/libcli/raw/rawfile.c b/source/libcli/raw/rawfile.c
index 3b6ca68..d938340 100644
--- a/source/libcli/raw/rawfile.c
+++ b/source/libcli/raw/rawfile.c
@@ -616,7 +616,7 @@ NTSTATUS smb_raw_open_recv(struct smbcli_request *req, TALLOC_CTX *mem_ctx, unio
case RAW_OPEN_CTEMP:
SMBCLI_CHECK_WCT(req, 1);
parms->ctemp.out.file.fnum = SVAL(req->in.vwv, VWV(0));
- smbcli_req_pull_string(req, mem_ctx, &parms->ctemp.out.name, req->in.data, -1, STR_TERMINATE | STR_ASCII);
+ smbcli_req_pull_string(&req->in.bufinfo, mem_ctx, &parms->ctemp.out.name, req->in.data, -1, STR_TERMINATE | STR_ASCII);
break;
case RAW_OPEN_SPLOPEN:
@@ -675,7 +675,7 @@ NTSTATUS smb_raw_open_recv(struct smbcli_request *req, TALLOC_CTX *mem_ctx, unio
parms->openxreadx.out.nread = SVAL(req->in.vwv, VWV(5));
if (parms->openxreadx.out.nread >
MAX(parms->openxreadx.in.mincnt, parms->openxreadx.in.maxcnt) ||
- !smbcli_raw_pull_data(req, req->in.hdr + SVAL(req->in.vwv, VWV(6)),
+ !smbcli_raw_pull_data(&req->in.bufinfo, req->in.hdr + SVAL(req->in.vwv, VWV(6)),
parms->openxreadx.out.nread,
parms->openxreadx.out.data)) {
req->status = NT_STATUS_BUFFER_TOO_SMALL;
diff --git a/source/libcli/raw/rawioctl.c b/source/libcli/raw/rawioctl.c
index 9205f84..957e554 100644
--- a/source/libcli/raw/rawioctl.c
+++ b/source/libcli/raw/rawioctl.c
@@ -59,7 +59,7 @@ static NTSTATUS smb_raw_smbioctl_recv(struct smbcli_request *req,
return smbcli_request_destroy(req);
}
- parms->ioctl.out.blob = smbcli_req_pull_blob(req, mem_ctx, req->in.data, -1);
+ parms->ioctl.out.blob = smbcli_req_pull_blob(&req->in.bufinfo, mem_ctx, req->in.data, -1);
return smbcli_request_destroy(req);
}
diff --git a/source/libcli/raw/rawnegotiate.c b/source/libcli/raw/rawnegotiate.c
index 1f5e347..ec2ada5 100644
--- a/source/libcli/raw/rawnegotiate.c
+++ b/source/libcli/raw/rawnegotiate.c
@@ -135,14 +135,14 @@ NTSTATUS smb_raw_negotiate_recv(struct smbcli_request *req)
if (req->in.data_size < 16) {
goto failed;
}
- transport->negotiate.server_guid = smbcli_req_pull_blob(req, transport, req->in.data, 16);
- transport->negotiate.secblob = smbcli_req_pull_blob(req, transport, req->in.data + 16, req->in.data_size - 16);
+ transport->negotiate.server_guid = smbcli_req_pull_blob(&req->in.bufinfo, transport, req->in.data, 16);
+ transport->negotiate.secblob = smbcli_req_pull_blob(&req->in.bufinfo, transport, req->in.data + 16, req->in.data_size - 16);
} else {
if (req->in.data_size < (transport->negotiate.key_len)) {
goto failed;
}
- transport->negotiate.secblob = smbcli_req_pull_blob(req, transport, req->in.data, transport->negotiate.key_len);
- smbcli_req_pull_string(req, transport, &transport->negotiate.server_domain,
+ transport->negotiate.secblob = smbcli_req_pull_blob(&req->in.bufinfo, transport, req->in.data, transport->negotiate.key_len);
+ smbcli_req_pull_string(&req->in.bufinfo, transport, &transport->negotiate.server_domain,
req->in.data+transport->negotiate.key_len,
req->in.data_size-transport->negotiate.key_len, STR_UNICODE|STR_NOALIGN);
/* here comes the server name */
@@ -168,7 +168,7 @@ NTSTATUS smb_raw_negotiate_recv(struct smbcli_request *req)
if ((SVAL(req->in.vwv,VWV(5)) & 0x2)) {
transport->negotiate.writebraw_supported = 1;
}
- transport->negotiate.secblob = smbcli_req_pull_blob(req, transport,
+ transport->negotiate.secblob = smbcli_req_pull_blob(&req->in.bufinfo, transport,
req->in.data, req->in.data_size);
} else {
/* the old core protocol */
diff --git a/source/libcli/raw/rawreadwrite.c b/source/libcli/raw/rawreadwrite.c
index b0c49dd..2005e36 100644
--- a/source/libcli/raw/rawreadwrite.c
+++ b/source/libcli/raw/rawreadwrite.c
@@ -137,7 +137,7 @@ NTSTATUS smb_raw_read_recv(struct smbcli_request *req, union smb_read *parms)
SMBCLI_CHECK_WCT(req, 5);
parms->lockread.out.nread = SVAL(req->in.vwv, VWV(0));
if (parms->lockread.out.nread > parms->lockread.in.count ||
- !smbcli_raw_pull_data(req, req->in.data+3,
+ !smbcli_raw_pull_data(&req->in.bufinfo, req->in.data+3,
parms->lockread.out.nread, parms->lockread.out.data)) {
req->status = NT_STATUS_BUFFER_TOO_SMALL;
}
@@ -148,7 +148,7 @@ NTSTATUS smb_raw_read_recv(struct smbcli_request *req, union smb_read *parms)
SMBCLI_CHECK_WCT(req, 5);
parms->read.out.nread = SVAL(req->in.vwv, VWV(0));
if (parms->read.out.nread > parms->read.in.count ||
- !smbcli_raw_pull_data(req, req->in.data+3,
+ !smbcli_raw_pull_data(&req->in.bufinfo, req->in.data+3,
parms->read.out.nread, parms->read.out.data)) {
req->status = NT_STATUS_BUFFER_TOO_SMALL;
}
@@ -175,7 +175,7 @@ NTSTATUS smb_raw_read_recv(struct smbcli_request *req, union smb_read *parms)
}
if (parms->readx.out.nread > MAX(parms->readx.in.mincnt, parms->readx.in.maxcnt) ||
- !smbcli_raw_pull_data(req, req->in.hdr + SVAL(req->in.vwv, VWV(6)),
+ !smbcli_raw_pull_data(&req->in.bufinfo, req->in.hdr + SVAL(req->in.vwv, VWV(6)),
parms->readx.out.nread,
parms->readx.out.data)) {
req->status = NT_STATUS_BUFFER_TOO_SMALL;
diff --git a/source/libcli/raw/rawrequest.c b/source/libcli/raw/rawrequest.c
index 3551e5d..355d092 100644
--- a/source/libcli/raw/rawrequest.c
+++ b/source/libcli/raw/rawrequest.c
@@ -34,6 +34,20 @@
/* assume that a character will not consume more than 3 bytes per char */
#define MAX_BYTES_PER_CHAR 3
+/* setup the bufinfo used for strings and range checking */
+void smb_setup_bufinfo(struct smbcli_request *req)
+{
+ req->in.bufinfo.mem_ctx = req;
+ req->in.bufinfo.flags = 0;
+ if (req->flags2 & FLAGS2_UNICODE_STRINGS) {
+ req->in.bufinfo.flags = BUFINFO_FLAG_UNICODE;
+ }
+ req->in.bufinfo.align_base = req->in.buffer;
+ req->in.bufinfo.data = req->in.data;
+ req->in.bufinfo.data_size = req->in.data_size;
+}
+
+
/* destroy a request structure and return final status */
NTSTATUS smbcli_request_destroy(struct smbcli_request *req)
{
@@ -298,6 +312,9 @@ NTSTATUS smbcli_chained_advance(struct smbcli_request *req)
req->in.data = req->in.vwv + 2 + req->in.wct * 2;
req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct));
+ /* fix the bufinfo */
+ smb_setup_bufinfo(req);
+
if (buffer + 3 + req->in.wct*2 + req->in.data_size >
req->in.buffer + req->in.size) {
return NT_STATUS_BUFFER_TOO_SMALL;
@@ -544,13 +561,13 @@ size_t smbcli_req_append_var_block(struct smbcli_request *req, const uint8_t *by
on failure zero is returned and *dest is set to NULL, otherwise the number
of bytes consumed in the packet is returned
*/
-static size_t smbcli_req_pull_ucs2(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
+static size_t smbcli_req_pull_ucs2(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_ctx,
char **dest, const uint8_t *src, int byte_len, uint_t flags)
{
int src_len, src_len2, alignment=0;
ssize_t ret;
- if (!(flags & STR_NOALIGN) && ucs2_align(req->in.buffer, src, flags)) {
+ if (!(flags & STR_NOALIGN) && ucs2_align(bufinfo->align_base, src, flags)) {
src++;
alignment=1;
if (byte_len != -1) {
@@ -558,7 +575,7 @@ static size_t smbcli_req_pull_ucs2(struct smbcli_request *req, TALLOC_CTX *mem_c
}
}
- src_len = req->in.data_size - PTR_DIFF(src, req->in.data);
+ src_len = bufinfo->data_size - PTR_DIFF(src, bufinfo->data);
if (src_len < 0) {
*dest = NULL;
return 0;
@@ -597,13 +614,13 @@ static size_t smbcli_req_pull_ucs2(struct smbcli_request *req, TALLOC_CTX *mem_c
on failure zero is returned and *dest is set to NULL, otherwise the number
of bytes consumed in the packet is returned
*/
-size_t smbcli_req_pull_ascii(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
+size_t smbcli_req_pull_ascii(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_ctx,
char **dest, const uint8_t *src, int byte_len, uint_t flags)
{
int src_len, src_len2;
ssize_t ret;
- src_len = req->in.data_size - PTR_DIFF(src, req->in.data);
+ src_len = bufinfo->data_size - PTR_DIFF(src, bufinfo->data);
if (src_len < 0) {
*dest = NULL;
return 0;
@@ -640,15 +657,15 @@ size_t smbcli_req_pull_ascii(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
on failure zero is returned and *dest is set to NULL, otherwise the number
of bytes consumed in the packet is returned
*/
-size_t smbcli_req_pull_string(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
+size_t smbcli_req_pull_string(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_ctx,
char **dest, const uint8_t *src, int byte_len, uint_t flags)
{
if (!(flags & STR_ASCII) &&
- (((flags & STR_UNICODE) || (req->flags2 & FLAGS2_UNICODE_STRINGS)))) {
- return smbcli_req_pull_ucs2(req, mem_ctx, dest, src, byte_len, flags);
+ (((flags & STR_UNICODE) || (bufinfo->flags & BUFINFO_FLAG_UNICODE)))) {
+ return smbcli_req_pull_ucs2(bufinfo, mem_ctx, dest, src, byte_len, flags);
}
- return smbcli_req_pull_ascii(req, mem_ctx, dest, src, byte_len, flags);
+ return smbcli_req_pull_ascii(bufinfo, mem_ctx, dest, src, byte_len, flags);
}
@@ -658,11 +675,11 @@ size_t smbcli_req_pull_string(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
if byte_len is -1 then limit the blob only by packet size
*/
-DATA_BLOB smbcli_req_pull_blob(struct smbcli_request *req, TALLOC_CTX *mem_ctx, const uint8_t *src, int byte_len)
+DATA_BLOB smbcli_req_pull_blob(struct request_bufinfo *bufinfo, TALLOC_CTX *mem_ctx, const uint8_t *src, int byte_len)
{
int src_len;
- src_len = req->in.data_size - PTR_DIFF(src, req->in.data);
+ src_len = bufinfo->data_size - PTR_DIFF(src, bufinfo->data);
if (src_len < 0) {
return data_blob(NULL, 0);
@@ -677,13 +694,13 @@ DATA_BLOB smbcli_req_pull_blob(struct smbcli_request *req, TALLOC_CTX *mem_ctx,
/* check that a lump of data in a request is within the bounds of the data section of
the packet */
-static bool smbcli_req_data_oob(struct smbcli_request *req, const uint8_t *ptr, uint32_t count)
+static bool smbcli_req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t count)
{
/* be careful with wraparound! */
- if (ptr < req->in.data ||
- ptr >= req->in.data + req->in.data_size ||
- count > req->in.data_size ||
- ptr + count > req->in.data + req->in.data_size) {
+ if (ptr < bufinfo->data ||
+ ptr >= bufinfo->data + bufinfo->data_size ||
+ count > bufinfo->data_size ||
+ ptr + count > bufinfo->data + bufinfo->data_size) {
return true;
}
return false;
@@ -694,11 +711,11 @@ static bool smbcli_req_data_oob(struct smbcli_request *req, const uint8_t *ptr,
return false if any part is outside the data portion of the packet
*/
-bool smbcli_raw_pull_data(struct smbcli_request *req, const uint8_t *src, int len, uint8_t *dest)
+bool smbcli_raw_pull_data(struct request_bufinfo *bufinfo, const uint8_t *src, int len, uint8_t *dest)
{
if (len == 0) return true;
- if (smbcli_req_data_oob(req, src, len)) {
+ if (smbcli_req_data_oob(bufinfo, src, len)) {
return false;
}
diff --git a/source/libcli/raw/rawsearch.c b/source/libcli/raw/rawsearch.c
index 33fa90d..fb2b094 100644
--- a/source/libcli/raw/rawsearch.c
+++ b/source/libcli/raw/rawsearch.c
@@ -54,7 +54,7 @@ static void smb_raw_search_backend(struct smbcli_request *req,
search_data.search.write_time = raw_pull_dos_date(req->transport,
p + 22);
search_data.search.size = IVAL(p, 26);
- smbcli_req_pull_ascii(req, mem_ctx, &name, p+30, 13, STR_ASCII);
+ smbcli_req_pull_ascii(&req->in.bufinfo, mem_ctx, &name, p+30, 13, STR_ASCII);
search_data.search.name = name;
if (!callback(private, &search_data)) {
break;
diff --git a/source/libcli/raw/request.h b/source/libcli/raw/request.h
index 803a450..2a572e5 100644
--- a/source/libcli/raw/request.h
+++ b/source/libcli/raw/request.h
@@ -22,11 +22,25 @@
#include "libcli/raw/signing.h"
+#define BUFINFO_FLAG_UNICODE 0x0001
+#define BUFINFO_FLAG_SMB2 0x0002
+
+/*
+ buffer limit structure used by both SMB and SMB2
+ */
+struct request_bufinfo {
+ TALLOC_CTX *mem_ctx;
+ uint32_t flags;
+ const uint8_t *align_base;
+ const uint8_t *data;
+ size_t data_size;
+};
+
/*
Shared state structure between client and server, representing the basic packet.
*/
-struct request_buffer {
+struct smb_request_buffer {
/* the raw SMB buffer, including the 4 byte length header */
uint8_t *buffer;
@@ -56,6 +70,9 @@ struct request_buffer {
* a send packet is done we need to move this
* pointer */
uint8_t *ptr;
+
+ /* this is used to range check and align strings and buffers */
+ struct request_bufinfo bufinfo;
};
#endif
diff --git a/source/libcli/raw/smb_signing.c b/source/libcli/raw/smb_signing.c
index 0053710..4acfb9d 100644
--- a/source/libcli/raw/smb_signing.c
+++ b/source/libcli/raw/smb_signing.c
@@ -65,7 +65,7 @@ static bool smbcli_set_smb_signing_common(struct smbcli_transport *transport)
return true;
}
-void mark_packet_signed(struct request_buffer *out)
+void mark_packet_signed(struct smb_request_buffer *out)
{
uint16_t flags2;
flags2 = SVAL(out->hdr, HDR_FLG2);
@@ -101,7 +101,7 @@ bool signing_good(struct smb_signing_context *sign_info,
return true;
}
-void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num)
+void sign_outgoing_message(struct smb_request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num)
{
uint8_t calc_md5_mac[16];
struct MD5Context md5_ctx;
@@ -133,7 +133,7 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsig
Uncomment this to test if the remote server actually verifies signitures...*/
}
-bool check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num)
+bool check_signed_incoming_message(struct smb_request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num)
{
bool good;
uint8_t calc_md5_mac[16];
diff --git a/source/libcli/smb2/request.c b/source/libcli/smb2/request.c
index 46ec241..35229dc 100644
--- a/source/libcli/smb2/request.c
+++ b/source/libcli/smb2/request.c
@@ -28,6 +28,21 @@
#include "libcli/smb2/smb2_calls.h"
#include "param/param.h"
+/* fill in the bufinfo */
+void smb2_setup_bufinfo(struct smb2_request *req)
+{
+ req->in.bufinfo.mem_ctx = req;
+ req->in.bufinfo.flags = BUFINFO_FLAG_UNICODE | BUFINFO_FLAG_SMB2;
+ req->in.bufinfo.align_base = req->in.buffer;
+ if (req->in.dynamic) {
+ req->in.bufinfo.data = req->in.dynamic;
+ req->in.bufinfo.data_size = req->in.body_size - req->in.body_fixed;
+ } else {
+ req->in.bufinfo.data = NULL;
+ req->in.bufinfo.data_size = 0;
+ }
+}
+
/*
initialise a smb2 request
*/
diff --git a/source/libcli/smb2/smb2.h b/source/libcli/smb2/smb2.h
index db13ab6..af08b01 100644
--- a/source/libcli/smb2/smb2.h
+++ b/source/libcli/smb2/smb2.h
@@ -19,6 +19,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "libcli/raw/request.h"
+
struct smb2_options {
uint32_t timeout;
};
@@ -102,6 +104,9 @@ struct smb2_request_buffer {
* this will be moved when some dynamic data is pushed
*/
uint8_t *dynamic;
+
+ /* this is used to range check and align strings and buffers */
+ struct request_bufinfo bufinfo;
};
diff --git a/source/libcli/smb2/transport.c b/source/libcli/smb2/transport.c
index dceb783..1d601fd 100644
--- a/source/libcli/smb2/transport.c
+++ b/source/libcli/smb2/transport.c
@@ -216,6 +216,8 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
}
}
+ smb2_setup_bufinfo(req);
+
DEBUG(2, ("SMB2 RECV seqnum=0x%llx\n", (long long)req->seqnum));
--
Samba Shared Repository
More information about the samba-cvs
mailing list