[PATCH] libcli: Use iov_buflen in smb2_signing.c
Volker Lendecke
Volker.Lendecke at SerNet.DE
Mon Aug 10 19:43:30 UTC 2015
Hi!
Review&push appreciated!
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 36348eb23037db3c3e61293e96ed4bfd2a03f32e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 10 Aug 2015 12:02:34 +0200
Subject: [PATCH] libcli: Use iov_buflen in smb2_signing.c
This give us overflow protection
Signed-off-by: Volker Lendecke <vl at samba.org>
---
libcli/smb/smb2_signing.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 489e18b..b723554 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -22,6 +22,7 @@
#include "system/filesys.h"
#include "../libcli/smb/smb_common.h"
#include "../lib/crypto/crypto.h"
+#include "lib/util/iov_buf.h"
NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
enum protocol_types protocol,
@@ -217,7 +218,7 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
uint8_t sig[16];
int i;
size_t a_total;
- size_t m_total = 0;
+ ssize_t m_total;
union {
struct aes_ccm_128_context ccm;
struct aes_gcm_128_context gcm;
@@ -241,8 +242,10 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
}
a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
- for (i=1; i < count; i++) {
- m_total += vector[i].iov_len;
+
+ m_total = iov_buflen(&vector[1], count-1);
+ if (m_total == -1) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
@@ -311,7 +314,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
uint8_t sig[16];
int i;
size_t a_total;
- size_t m_total = 0;
+ ssize_t m_total;
uint32_t msg_size = 0;
union {
struct aes_ccm_128_context ccm;
@@ -336,8 +339,10 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
}
a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
- for (i=1; i < count; i++) {
- m_total += vector[i].iov_len;
+
+ m_total = iov_buflen(&vector[1], count-1);
+ if (m_total == -1) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
flags = SVAL(tf, SMB2_TF_FLAGS);
--
1.9.1
More information about the samba-technical
mailing list