sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-05 21:57:51 +03:00
Code

r13585: Sorry Gunther, had to revert this. It's got a buffer

Browse Source 
overrun. Spoke to Jerry about the correct fix. Will add
this after.
Jeremy.
This commit is contained in:
Jeremy Allison 2006-02-21 03:08:42 +00:00 committed by Gerald (Jerry) Carter
parent 9732490811
commit 33e13aabd3
3 changed files with 12 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/include/authdata.h
View File

@ -42,7 +42,7 @@
typedef struct pac_logon_name {
NTTIME logon_time;
uint16 len;
fstring username;
uint16 *username; /* might not be null terminated, so not UNISTR */
} PAC_LOGON_NAME;
typedef struct pac_signature_data {

14
source/libads/authdata.c
View File

@ -42,7 +42,16 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name,
if (!prs_uint16("len", ps, depth, &logon_name->len))
return False;
if (!prs_string_len("name", ps, depth, logon_name->username, logon_name->len))
if (UNMARSHALLING(ps) && logon_name->len) {
logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len);
if (!logon_name->username) {
DEBUG(3, ("No memory available\n"));
return False;
}
}
if (!prs_uint16s(True, "name", ps, depth, logon_name->username,
(logon_name->len / sizeof(uint16))))
return False;
return True;
@ -882,8 +891,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) {
nt_status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0);
rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE);
ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac);
if (ret) {

43
source/rpc_parse/parse_prs.c
View File

@ -1332,49 +1332,6 @@ BOOL prs_string_alloc(const char *name, prs_struct *ps, int depth, const char **
return True;
}
/*******************************************************************
Stream a null-terminated string of fixed len.
********************************************************************/
BOOL prs_string_len(const char *name, prs_struct *ps, int depth, char *str, int len)
{
char *q;
int i;
BOOL charmode = True;
q = prs_mem_get(ps, len+1);
if (q == NULL)
return False;
for(i = 0; i < len; i++) {
if (UNMARSHALLING(ps))
str[i] = q[i];
else
q[i] = str[i];
}
/* The terminating null. */
str[i] = '\0';
if (MARSHALLING(ps)) {
q[i] = '\0';
}
ps->data_offset += len+1;
DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset, name));
if (charmode) {
print_asc(5, (unsigned char*)str, len);
} else {
for (i = 0; i < len; i++)
DEBUG(5,("%04x ", str[i]));
}
DEBUG(5,("\n"));
return True;
}
/*******************************************************************
prs_uint16 wrapper. Call this and it sets up a pointer to where the
uint16 should be stored, or gets the size if reading.