[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Mon Oct 1 01:13:08 MDT 2012
The branch, v3-6-test has been updated
via dd8e980 Fix bug #9209 - Parse of invalid SMB2 create blob can cause smbd crash.
via f4ed643 libcli/smb: fix padding in smb2_create_blob*
from f3f960b s3-smbd: Don't segfault if user specified ports out for range.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit dd8e9801d6bcb8c6dca42312ffcb24149eb2645a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 26 16:58:58 2012 -0700
Fix bug #9209 - Parse of invalid SMB2 create blob can cause smbd crash.
Ensure we correctly protect against blobs with data_offset==0
and data_length != 0.
Jeremy.
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 27 22:07:02 CEST 2012 on sn-devel-104
(cherry picked from commit 322e3d42f65dadabeccf8813fcb0e9b7d353ffb2)
commit f4ed6437a8e60043edf968103a2c503b12e5191f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 19 08:11:23 2012 +0200
libcli/smb: fix padding in smb2_create_blob*
metze
(cherry picked from commit aa5caf1fe92b159eae00c7b11499e9ec697cf9ae)
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb2_create_blob.c | 46 ++++++++++++++++++++++++++++------------
1 files changed, 32 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 31c67e9..d3a9663 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -59,14 +59,13 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
if ((next & 0x7) != 0 ||
next > remaining ||
- name_offset < 16 ||
- name_offset > remaining ||
- name_length != 4 || /* windows enforces this */
+ name_offset != 16 ||
+ name_length < 4 ||
name_offset + name_length > remaining ||
+ (data_offset & 0x7) != 0 ||
(data_offset && (data_offset < name_offset + name_length)) ||
- (data_offset && (data_offset > remaining)) ||
- (data_offset && data_length &&
- (data_offset + (uint64_t)data_length > remaining))) {
+ (data_offset > remaining) ||
+ (data_offset + (uint64_t)data_length > remaining)) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -106,25 +105,44 @@ static NTSTATUS smb2_create_blob_push_one(TALLOC_CTX *mem_ctx, DATA_BLOB *buffer
{
uint32_t ofs = buffer->length;
size_t tag_length = strlen(blob->tag);
- uint8_t pad = smb2_create_blob_padding(blob->data.length+tag_length, 4);
+ size_t blob_offset = 0;
+ size_t blob_pad = 0;
+ size_t next_offset = 0;
+ size_t next_pad = 0;
+ bool ok;
+
+ blob_offset = 0x14 + tag_length;
+ blob_pad = smb2_create_blob_padding(blob_offset, 8);
+ next_offset = blob_offset + blob_pad + blob->data.length;
+ if (!last) {
+ next_pad = smb2_create_blob_padding(next_offset, 8);
+ }
- if (!data_blob_realloc(mem_ctx, buffer,
- buffer->length + 0x14 + tag_length + blob->data.length + pad))
+ ok = data_blob_realloc(mem_ctx, buffer,
+ buffer->length + next_offset + next_pad);
+ if (!ok) {
return NT_STATUS_NO_MEMORY;
+ }
if (last) {
SIVAL(buffer->data, ofs+0x00, 0);
} else {
- SIVAL(buffer->data, ofs+0x00, 0x14 + tag_length + blob->data.length + pad);
+ SIVAL(buffer->data, ofs+0x00, next_offset + next_pad);
}
SSVAL(buffer->data, ofs+0x04, 0x10); /* offset of tag */
SIVAL(buffer->data, ofs+0x06, tag_length); /* tag length */
- SSVAL(buffer->data, ofs+0x0A, 0x14 + tag_length); /* offset of data */
+ SSVAL(buffer->data, ofs+0x0A, blob_offset + blob_pad); /* offset of data */
SIVAL(buffer->data, ofs+0x0C, blob->data.length);
memcpy(buffer->data+ofs+0x10, blob->tag, tag_length);
- SIVAL(buffer->data, ofs+0x10+tag_length, 0); /* pad? */
- memcpy(buffer->data+ofs+0x14+tag_length, blob->data.data, blob->data.length);
- memset(buffer->data+ofs+0x14+tag_length+blob->data.length, 0, pad);
+ if (blob_pad > 0) {
+ memset(buffer->data+ofs+blob_offset, 0, blob_pad);
+ blob_offset += blob_pad;
+ }
+ memcpy(buffer->data+ofs+blob_offset, blob->data.data, blob->data.length);
+ if (next_pad > 0) {
+ memset(buffer->data+ofs+next_offset, 0, next_pad);
+ next_offset += next_pad;
+ }
return NT_STATUS_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list