[PATCH] libcli: Use iov_buflen in smb2_signing.c
Michael Adam
obnox at samba.org
Fri Aug 14 08:32:21 UTC 2015
Pushed to autobuild.
On 2015-08-10 at 21:43 +0200, Volker Lendecke wrote:
> Hi!
>
> Review&push appreciated!
>
> Thanks,
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
> From 36348eb23037db3c3e61293e96ed4bfd2a03f32e Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Mon, 10 Aug 2015 12:02:34 +0200
> Subject: [PATCH] libcli: Use iov_buflen in smb2_signing.c
>
> This give us overflow protection
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> libcli/smb/smb2_signing.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
> index 489e18b..b723554 100644
> --- a/libcli/smb/smb2_signing.c
> +++ b/libcli/smb/smb2_signing.c
> @@ -22,6 +22,7 @@
> #include "system/filesys.h"
> #include "../libcli/smb/smb_common.h"
> #include "../lib/crypto/crypto.h"
> +#include "lib/util/iov_buf.h"
>
> NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
> enum protocol_types protocol,
> @@ -217,7 +218,7 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
> uint8_t sig[16];
> int i;
> size_t a_total;
> - size_t m_total = 0;
> + ssize_t m_total;
> union {
> struct aes_ccm_128_context ccm;
> struct aes_gcm_128_context gcm;
> @@ -241,8 +242,10 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
> }
>
> a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
> - for (i=1; i < count; i++) {
> - m_total += vector[i].iov_len;
> +
> + m_total = iov_buflen(&vector[1], count-1);
> + if (m_total == -1) {
> + return NT_STATUS_BUFFER_TOO_SMALL;
> }
>
> SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
> @@ -311,7 +314,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
> uint8_t sig[16];
> int i;
> size_t a_total;
> - size_t m_total = 0;
> + ssize_t m_total;
> uint32_t msg_size = 0;
> union {
> struct aes_ccm_128_context ccm;
> @@ -336,8 +339,10 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
> }
>
> a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
> - for (i=1; i < count; i++) {
> - m_total += vector[i].iov_len;
> +
> + m_total = iov_buflen(&vector[1], count-1);
> + if (m_total == -1) {
> + return NT_STATUS_BUFFER_TOO_SMALL;
> }
>
> flags = SVAL(tf, SMB2_TF_FLAGS);
> --
> 1.9.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150814/5795002d/attachment.sig>
More information about the samba-technical
mailing list