r22014: Make us pass RANDOMIPC test again :-(. This is an ugly check-in,

but I've no option.
Jeremy.
(This used to be commit c3a565081d70b209a4f9e6e8f1859bf7194a5f74)

source3/lib/util.c

@@ -3124,3 +3124,26 @@ int this_is_smp(void)
 	return 0;
 #endif
 }
+
+/****************************************************************
+ Return a safe offset into a buffer, or NULL.
+****************************************************************/
+
+char *get_safe_offset(const char *buf_base, size_t buf_len, char *ptr, size_t off)
+{
+	const char *end_base = buf_base + buf_len;
+	const char *end_ptr = ptr + off;
+
+	if (!buf_base || !ptr) {
+		return NULL;
+	}
+
+	if (end_base < buf_base || end_ptr < ptr) {
+		return NULL; /* wrap. */
+	}
+
+	if (end_ptr < end_base) {
+		return ptr;
+	}
+	return NULL;
+}

source3/lib/util_str.c

@@ -424,16 +424,45 @@ void string_replace( pstring s, char oldc, char newc )
 }
 
 /**
- Skip past some strings in a buffer.
-**/
+ *  Skip past some strings in a buffer - old version - no checks.
+ *  **/
 
-char *skip_string(char *buf,size_t n)
+char *push_skip_string(char *buf,size_t n)
 {
 	while (n--)
 		buf += strlen(buf) + 1;
 	return(buf);
 }
 
+/**
+ Skip past some strings in a buffer. Buffer may not be
+ null terminated. end_ptr points to the first byte after
+ then end of the buffer.
+**/
+
+char *skip_string(const char *base, size_t len, char *buf, size_t n)
+{
+	const char *end_ptr = base + len;
+
+	if (end_ptr < base || !base || !buf || buf >= end_ptr) {
+		return NULL;
+	}
+
+	while (n--) {
+		/* Skip the string */
+		while (*buf) {
+			buf++;
+			if (buf >= end_ptr) {
+				return NULL;
+			}
+		}
+		/* Skip the '\0' */
+		buf++;
+	}
+
+	return buf;
+}
+
 /**
  Count the number of characters in a string. Normally this will
  be the same as the number of bytes in a string for single byte strings,
@@ -2591,4 +2620,3 @@ size_t utf16_len_n(const void *src, size_t n)
 
 	return len;
 }
-

source3/libsmb/clidgram.c

@@ -85,7 +85,10 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
 	SSVAL(ptr,smb_vwv16,2);
 	p2 = smb_buf(ptr);
 	fstrcpy(p2,mailslot);
-	p2 = skip_string(p2,1);
+	p2 = skip_string(ptr,MAX_DGRAM_SIZE,p2,1);
+	if (!p2) {
+		return False;
+	}
 
 	memcpy(p2,buf,len);
 	p2 += len;

source3/libsmb/cliprint.c

@@ -64,16 +64,16 @@ int cli_print_queue(struct cli_state *cli,
 	SSVAL(p,0,76);         /* API function number 76 (DosPrintJobEnum) */
 	p += 2;
 	pstrcpy_base(p,"zWrLeh", param);   /* parameter description? */
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,"WWzWWDDzz", param);  /* returned data format */
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,cli->share, param);    /* name of queue */
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,2);   /* API function level 2, PRJINFO_2 data structure */
 	SSVAL(p,2,1000); /* size of bytes of returned data buffer */
 	p += 4;
 	pstrcpy_base(p,"", param);   /* subformat */
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 
 	DEBUG(4,("doing cli_print_queue for %s\n", cli->share));
 
@@ -133,9 +133,9 @@ int cli_printjob_del(struct cli_state *cli, int job)
 	SSVAL(p,0,81);		/* DosPrintJobDel() */
 	p += 2;
 	pstrcpy_base(p,"W", param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,"", param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,job);     
 	p += 2;
 	

source3/libsmb/clirap.c

@@ -86,9 +86,9 @@ BOOL cli_NetWkstaUserLogon(struct cli_state *cli,char *user, char *workstation)
 	SSVAL(p,0,132); /* api number */
 	p += 2;
 	pstrcpy_base(p,"OOWb54WrLh",param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,"WB21BWDWWDDDDDDDzzzD",param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,1);
 	p += 2;
 	pstrcpy_base(p,user,param);
@@ -147,9 +147,9 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32, co
 	SSVAL(p,0,0); /* api number */
 	p += 2;
 	pstrcpy_base(p,"WrLeh",param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,"B13BWz",param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,1);
 	/*
 	 * Win2k needs a *smaller* buffer than 0xFFFF here -
@@ -225,11 +225,11 @@ BOOL cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
 	SSVAL(p,0,0x68); /* api number */
 	p += 2;
 	pstrcpy_base(p,"WrLehDz", param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
   
 	pstrcpy_base(p,"B16BBDz", param);
 
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,uLevel);
 	SSVAL(p,2,CLI_BUFFER_SIZE);
 	p += 4;
@@ -314,11 +314,11 @@ BOOL cli_oem_change_password(struct cli_state *cli, const char *user, const char
 	SSVAL(p,0,214); /* SamOEMChangePassword command. */
 	p += 2;
 	pstrcpy_base(p, "zsT", param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p, "B516B16", param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	pstrcpy_base(p,user, param);
-	p = skip_string(p,1);
+	p = skip_string(param,sizeof(param),p,1);
 	SSVAL(p,0,532);
 	p += 2;
 

source3/libsmb/clirap2.c

@@ -91,7 +91,7 @@
 /* put string s at p with max len n and increment p past string */
 #define PUTSTRING(p,s,n) do {\
   push_ascii(p,s?s:"",n?n:256,STR_TERMINATE);\
-  p = skip_string(p,1);\
+  p = push_skip_string(p,1);\
   } while(0)
 /* put string s and p, using fixed len l, and increment p by l */
 #define PUTSTRINGF(p,s,l) do {\
@@ -111,7 +111,7 @@
 /* get asciiz string s from p, increment p past string */
 #define GETSTRING(p,s) do {\
   pull_ascii_pstring(s,p);\
-  p = skip_string(p,1);\
+  p = push_skip_string(p,1);\
   } while(0)
 /* get fixed length l string s from p, increment p by l */
 #define GETSTRINGF(p,s,l) do {\

source3/nmbd/nmbd_browsesync.c

@@ -125,7 +125,7 @@ static void announce_local_master_browser_to_domain_master_browser( struct work_
 	/* The call below does CH_UNIX -> CH_DOS conversion. JRA */
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	if( DEBUGLVL( 4 ) ) {
 		dbgtext( "announce_local_master_browser_to_domain_master_browser:\n" );

source3/nmbd/nmbd_elections.c

@@ -53,7 +53,7 @@ static void send_election_dgram(struct subnet_record *subrec, const char *workgr
 	strupper_m(srv_name);
 	/* The following call does UNIX -> DOS charset conversion. */
 	pstrcpy_base(p, srv_name, outbuf);
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
   
 	send_mailslot(False, BROWSE_MAILSLOT, outbuf, PTR_DIFF(p,outbuf),
 		global_myname(), 0,

source3/nmbd/nmbd_incomingdgrams.c

@@ -416,7 +416,7 @@ done:
   Process an incoming LanMan host announcement packet.
 *******************************************************************/
 
-void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
 {
 	struct dgram_packet *dgram = &p->packet.dgram;
 	uint32 servertype = IVAL(buf,1);
@@ -429,10 +429,16 @@ void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct
 	unstring work_name;
 	unstring source_name;
 	fstring comment;
-	char *s = buf+9;
+	char *s = get_safe_offset(buf,len,buf,9);
 
+	if (!s) {
+		return;
+	}
 	START_PROFILE(lm_host_announce);
-	s = skip_string(s,1);
+	s = skip_string(buf,len,s,1);
+	if (!s) {
+		return;
+	}
 	pull_ascii(comment, s, sizeof(fstring), 43, STR_TERMINATE);
 
 	pull_ascii_nstring(announce_name,sizeof(announce_name),buf+9);
@@ -568,7 +574,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
 	myname[15]='\0';
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	/* Look for backup browsers in this workgroup. */
 
@@ -604,7 +610,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
     DEBUG(5,("send_backup_list_response: Adding server %s number %d\n",
               p, count));
 
-    p = skip_string(p,1);
+    p = skip_string(outbuf,sizeof(outbuf),p,1);
   }
 #endif
 
@@ -809,7 +815,7 @@ done:
   through the "lm announce" parameter in smb.conf)
 ******************************************************************/
 
-void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
 {
 	struct dgram_packet *dgram = &p->packet.dgram;
 	unstring workgroup_name;

source3/nmbd/nmbd_packets.c

@@ -1153,10 +1153,10 @@ mismatch with our scope (%s).\n", inet_ntoa(p->ip), scope, global_scope()));
 	switch (command) {
 		case ANN_HostAnnouncement:
 			debug_browse_data(buf, len);
-			process_lm_host_announce(subrec, p, buf+1);
+			process_lm_host_announce(subrec, p, buf+1, len > 1 ? len-1 : 0);
 			break;
 		case ANN_AnnouncementRequest:
-			process_lm_announce_request(subrec, p, buf+1);
+			process_lm_announce_request(subrec, p, buf+1, len > 1 ? len-1 : 0);
 			break;
 		default:
 			DEBUG(0,("process_lanman_packet: On subnet %s ignoring browse packet \
@@ -1899,7 +1899,7 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
 	SSVAL(ptr,smb_vwv16,2);
 	p2 = smb_buf(ptr);
 	safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
-	p2 = skip_string(p2,1);
+	p2 = skip_string(ptr,MAX_DGRAM_SIZE,p2,1);
   
 	if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
 		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));

source3/nmbd/nmbd_processlogon.c

@@ -91,7 +91,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 
 	pstrcpy(my_name, global_myname());
 
-	code = SVAL(buf,0);
+	code = get_safe_offset(buf,len,buf,2) ? SVAL(buf,0) : -1;
 	DEBUG(4,("process_logon_packet: Logon from %s: code = 0x%x\n", inet_ntoa(p->ip), code));
 
 	switch (code) {
@@ -100,21 +100,21 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 				fstring mach_str, user_str, getdc_str;
 				char *q = buf + 2;
 				char *machine = q;
-				char *user = skip_string(machine,1);
+				char *user = skip_string(buf,len,machine,1);
 
-				if (PTR_DIFF(user, buf) >= len) {
+				if (!user || PTR_DIFF(user, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				getdc = skip_string(user,1);
+				getdc = skip_string(buf,len,user,1);
 
-				if (PTR_DIFF(getdc, buf) >= len) {
+				if (!getdc || PTR_DIFF(getdc, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q + 5, buf) > len) {
+				if (!q || PTR_DIFF(q + 5, buf) > len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -136,7 +136,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 				fstrcpy(reply_name, "\\\\");
 				fstrcat(reply_name, my_name);
 				push_ascii_fstring(q, reply_name);
-				q = skip_string(q, 1); /* PDC name */
+				q = skip_string(outbuf,sizeof(outbuf),q, 1); /* PDC name */
 
 				SSVAL(q, 0, token);
 				q += 2;
@@ -164,15 +164,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 					return;
 				}
 
-				getdc = skip_string(machine,1);
+				getdc = skip_string(buf,len,machine,1);
 
-				if (PTR_DIFF(getdc, buf) >= len) {
+				if (!getdc || PTR_DIFF(getdc, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -232,7 +232,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 
 				fstrcpy(reply_name,my_name);
 				push_ascii_fstring(q, reply_name);
-				q = skip_string(q, 1); /* PDC name */
+				q = skip_string(outbuf,sizeof(outbuf),q, 1); /* PDC name */
 
 				/* PDC and domain name */
 				if (!short_request) {
@@ -301,9 +301,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					return;
 				}
 
-				q = skip_string(getdc,1);
+				q = skip_string(buf,len,getdc,1);
 
-				if (PTR_DIFF(q + 8, buf) >= len) {
+				if (!q || PTR_DIFF(q + 8, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
@@ -540,16 +540,16 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
           
 				/* Domain info */
           
-				q = skip_string(q, 1);    /* PDC name */
+				q = skip_string(buf,len,q, 1);    /* PDC name */
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}
 
-				q = skip_string(q, 1);    /* Domain name */
+				q = skip_string(buf,len,q, 1);    /* Domain name */
 
-				if (PTR_DIFF(q, buf) >= len) {
+				if (!q || PTR_DIFF(q, buf) >= len) {
 					DEBUG(0,("process_logon_packet: bad packet\n"));
 					return;
 				}

source3/nmbd/nmbd_sendannounce.c

@@ -566,7 +566,7 @@ for workgroup %s on subnet %s.\n", lp_workgroup(), FIRST_SUBNET->subnet_name ));
 	myname[15]='\0';
 	push_pstring_base(p, myname, outbuf);
 
-	p = skip_string(p,1);
+	p = skip_string(outbuf,sizeof(outbuf),p,1);
 
 	for (ptr=s; next_token(&ptr,s2,NULL,sizeof(s2)); ) {
 		/* The entries are of the form a.b.c.d */