[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Tue May 5 17:13:02 UTC 2020 

The branch, master has been updated
       via  f80c97cb8da libsmb: Protect cli_oem_change_password() from rprcnt<2
       via  ce8b70df7bd libsmb: Protect cli_RNetServerEnum against rprcnt<6
       via  4a9fe4efefa libsmb: Protect cli_RNetShareEnum() against rprcnt<6
       via  ae91d67a247 libsmb: Fix indentation in cli_RNetShareEnum()
      from  1be128eeedf smbd: Make share_mode_for_one_entry() use just a uint8*

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f80c97cb8da64f3cd9904e2e1fd43c29b691166d
Author: Volker Lendecke <vl at samba.org>
Date:   Sat May 2 15:18:07 2020 +0200

    libsmb: Protect cli_oem_change_password() from rprcnt<2
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue May  5 17:12:04 UTC 2020 on sn-devel-184

commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b
Author: Volker Lendecke <vl at samba.org>
Date:   Sat May 2 15:10:14 2020 +0200

    libsmb: Protect cli_RNetServerEnum against rprcnt<6
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 4a9fe4efefa67d6f24efcbe29722a43fc4859fdc
Author: Volker Lendecke <vl at samba.org>
Date:   Sat May 2 14:59:07 2020 +0200

    libsmb: Protect cli_RNetShareEnum() against rprcnt<6
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ae91d67a247424d4ddc89230f52365558d6ff402
Author: Volker Lendecke <vl at samba.org>
Date:   Sat May 2 14:54:01 2020 +0200

    libsmb: Fix indentation in cli_RNetShareEnum()
    
    Also remove a level of indentation with a "goto done;"
    
    Best review with "git show -b", almost no code change
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/clirap.c | 151 ++++++++++++++++++++++++++++--------------------
 1 file changed, 87 insertions(+), 64 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 7896a121fbf..e1f9cea4388 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -107,6 +107,8 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t,
 	unsigned int rdrcnt,rprcnt;
 	char param[1024];
 	int count = -1;
+	bool ok;
+	int res;
 
 	/* now send a SMBtrans command with api RNetShareEnum */
 	p = param;
@@ -124,74 +126,82 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t,
 	SSVAL(p,2,0xFFE0);
 	p += 4;
 
-	if (cli_api(cli,
-		    param, PTR_DIFF(p,param), 1024,  /* Param, length, maxlen */
-		    NULL, 0, 0xFFE0,            /* data, length, maxlen - Win2k needs a small buffer here too ! */
-		    &rparam, &rprcnt,                /* return params, length */
-		    &rdata, &rdrcnt))                /* return data, length */
-		{
-			int res = rparam? SVAL(rparam,0) : -1;
-
-			if (res == 0 || res == ERRmoredata) {
-				int converter=SVAL(rparam,2);
-				int i;
-				char *rdata_end = rdata + rdrcnt;
-
-				count=SVAL(rparam,4);
-				p = rdata;
-
-				for (i=0;i<count;i++,p+=20) {
-					char *sname;
-					int type;
-					int comment_offset;
-					const char *cmnt;
-					const char *p1;
-					char *s1, *s2;
-					size_t len;
-					TALLOC_CTX *frame = talloc_stackframe();
-
-					if (p + 20 > rdata_end) {
-						TALLOC_FREE(frame);
-						break;
-					}
-
-					sname = p;
-					type = SVAL(p,14);
-					comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
-					if (comment_offset < 0 ||
-							comment_offset > (int)rdrcnt) {
-						TALLOC_FREE(frame);
-						break;
-					}
-					cmnt = comment_offset?(rdata+comment_offset):"";
-
-					/* Work out the comment length. */
-					for (p1 = cmnt, len = 0; *p1 &&
-							p1 < rdata_end; len++)
-						p1++;
-					if (!*p1) {
-						len++;
-					}
-					pull_string_talloc(frame,rdata,0,
-						&s1,sname,14,STR_ASCII);
-					pull_string_talloc(frame,rdata,0,
-						&s2,cmnt,len,STR_ASCII);
-					if (!s1 || !s2) {
-						TALLOC_FREE(frame);
-						continue;
-					}
-
-					fn(s1, type, s2, state);
+	ok = cli_api(
+		cli,
+		param, PTR_DIFF(p,param), 1024,  /* Param, length, maxlen */
+		NULL, 0, 0xFFE0,            /* data, length, maxlen - Win2k needs a small buffer here too ! */
+		&rparam, &rprcnt,                /* return params, length */
+		&rdata, &rdrcnt);                /* return data, length */
+	if (!ok) {
+		DEBUG(4,("NetShareEnum failed\n"));
+		goto done;
+	}
 
-					TALLOC_FREE(frame);
-				}
-			} else {
-				DEBUG(4,("NetShareEnum res=%d\n", res));
+	if (rprcnt < 6) {
+		DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+		goto done;
+	}
+
+	res = rparam? SVAL(rparam,0) : -1;
+
+	if (res == 0 || res == ERRmoredata) {
+		int converter=SVAL(rparam,2);
+		int i;
+		char *rdata_end = rdata + rdrcnt;
+
+		count=SVAL(rparam,4);
+		p = rdata;
+
+		for (i=0;i<count;i++,p+=20) {
+			char *sname;
+			int type;
+			int comment_offset;
+			const char *cmnt;
+			const char *p1;
+			char *s1, *s2;
+			size_t len;
+			TALLOC_CTX *frame = talloc_stackframe();
+
+			if (p + 20 > rdata_end) {
+				TALLOC_FREE(frame);
+				break;
 			}
-		} else {
-			DEBUG(4,("NetShareEnum failed\n"));
+
+			sname = p;
+			type = SVAL(p,14);
+			comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
+			if (comment_offset < 0 ||
+			    comment_offset > (int)rdrcnt) {
+				TALLOC_FREE(frame);
+				break;
+			}
+			cmnt = comment_offset?(rdata+comment_offset):"";
+
+			/* Work out the comment length. */
+			for (p1 = cmnt, len = 0; *p1 &&
+				     p1 < rdata_end; len++)
+				p1++;
+			if (!*p1) {
+				len++;
+			}
+			pull_string_talloc(frame,rdata,0,
+					   &s1,sname,14,STR_ASCII);
+			pull_string_talloc(frame,rdata,0,
+					   &s2,cmnt,len,STR_ASCII);
+			if (!s1 || !s2) {
+				TALLOC_FREE(frame);
+				continue;
+			}
+
+			fn(s1, type, s2, state);
+
+			TALLOC_FREE(frame);
 		}
+	} else {
+			DEBUG(4,("NetShareEnum res=%d\n", res));
+	}
 
+done:
 	SAFE_FREE(rparam);
 	SAFE_FREE(rdata);
 
@@ -295,6 +305,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32_t stype,
 		}
 
 		rdata_end = rdata + rdrcnt;
+
+		if (rprcnt < 6) {
+			DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+			res = -1;
+			break;
+		}
+
 		res = rparam ? SVAL(rparam,0) : -1;
 
 		if (res == 0 || res == ERRmoredata ||
@@ -518,10 +535,16 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
 		return False;
 	}
 
+	if (rdrcnt < 2) {
+		cli->rap_error = ERRbadformat;
+		goto done;
+	}
+
 	if (rparam) {
 		cli->rap_error = SVAL(rparam,0);
 	}
 
+done:
 	SAFE_FREE(rparam);
 	SAFE_FREE(rdata);
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list