[Samba] (samba ~ shlight): negprot protocols not 0-terminated
Volker Lendecke
Volker.Lendecke at SerNet.DE
Sun Nov 29 05:26:43 MST 2009
On Sun, Nov 29, 2009 at 01:22:08PM +0100, Volker Lendecke wrote:
> I've also attached a (completely untested) patch to Sharity
> light. Maybe you want to give that also a test and try to
> get that through the Sharity people and/or the OpenBSD
> package process.
For reference, mailman has killed the attachments:
From dacb0472270ac85c436f64a52ef8cb1bfcc8ee48 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Nov 2009 13:18:54 +0100
Subject: [PATCH] Correct the netbios header lenght calculation
The indicated netbios session packet header does not include the length itself.
---
proc.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/proc.c b/proc.c
index 399ca9d..291ace0 100644
--- a/proc.c
+++ b/proc.c
@@ -489,7 +489,7 @@ smb_setup_header(struct smb_server *server, byte command, word wct, word bcc)
byte *p = server->packet;
byte *buf = server->packet;
- p = smb_encode_smb_length(p, xmit_len);
+ p = smb_encode_smb_length(p, xmit_len - 4);
BSET(p,0,0xff);
BSET(p,1,'S');
@@ -1728,7 +1728,7 @@ smb_proc_reconnect(struct smb_server *server)
p = smb_name_mangle(p, server->m.client_name);
smb_encode_smb_length(server->packet,
- (byte *)p - (byte *)(server->packet));
+ (byte *)p - (byte *)(server->packet) - 4);
server->packet[0] = 0x81; /* SESSION REQUEST */
--
1.6.0.4
From 10534d50cda9944ac5e0e5b15204b2f6ccd88d4f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Nov 2009 13:00:55 +0100
Subject: [PATCH] s3: In negprot, check for 0-termination via bcc, not smb packet length
---
source/smbd/negprot.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c
index 9f56949..8b8f891 100644
--- a/source/smbd/negprot.c
+++ b/source/smbd/negprot.c
@@ -507,7 +507,7 @@ static const struct {
void reply_negprot(struct smb_request *req)
{
- size_t size = smb_len(req->inbuf) + 4;
+ size_t size = smb_buflen(req->inbuf);
int choice= -1;
int protocol;
char *p;
--
1.6.0.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20091129/9e131399/attachment.pgp>
More information about the samba
mailing list