[Samba] (samba ~ shlight): negprot protocols not 0-terminated

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Nov 29 08:02:11 MST 2009


On Sun, Nov 29, 2009 at 01:26:43PM +0100, Volker Lendecke wrote:
> On Sun, Nov 29, 2009 at 01:22:08PM +0100, Volker Lendecke wrote:
> > I've also attached a (completely untested) patch to Sharity
> > light. Maybe you want to give that also a test and try to
> > get that through the Sharity people and/or the OpenBSD
> > package process.
> 
> For reference, mailman has killed the attachments:

One should actually *test* patches :-)

Here's another one.

Volker


From 21fe07535ae9ed90aa036022e426cd7139b5faf4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Nov 2009 13:00:55 +0100
Subject: [PATCH] s3: In negprot, check for 0-termination via bcc, not smb packet length

---
 source/smbd/negprot.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c
index 9f56949..c93f3c6 100644
--- a/source/smbd/negprot.c
+++ b/source/smbd/negprot.c
@@ -507,7 +507,7 @@ static const struct {
 
 void reply_negprot(struct smb_request *req)
 {
-	size_t size = smb_len(req->inbuf) + 4;
+	size_t size = smb_buflen(req->inbuf);
 	int choice= -1;
 	int protocol;
 	char *p;
@@ -527,7 +527,9 @@ void reply_negprot(struct smb_request *req)
 	}
 	done_negprot = True;
 
-	if (req->inbuf[size-1] != '\0') {
+	p = smb_buf(req->inbuf);
+
+	if (p[size-1] != '\0') {
 		DEBUG(0, ("negprot protocols not 0-terminated\n"));
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		END_PROFILE(SMBnegprot);
-- 
1.6.0.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20091129/48dcd788/attachment.pgp>


More information about the samba mailing list