sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-10 13:57:47 +03:00
Code

r24006: Some more paranoia in reply_negprot

Browse Source 
Some hosts see the smb_bufrem(req->inbuf, p) as an unsigned int. And as
the p += strlen(p) + 2 went one beyond the buffer, this was a very
large positive. Also take the chance to add one more consistency check.
This commit is contained in:
Volker Lendecke 2007-07-23 14:36:54 +00:00 committed by Gerald (Jerry) Carter
parent cdc8ca57a7
commit 3673707f9f
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
source/smbd/negprot.c
View File

@ -533,7 +533,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
return;
}
p = smb_buf(req->inbuf)+1;
p = smb_buf(req->inbuf);
num_cliprotos = 0;
cliprotos = NULL;
@ -541,6 +541,16 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
while (smb_bufrem(req->inbuf, p) > 0) {
char **tmp;
if (p[0] != 0x02) {
DEBUG(3, ("Invalid string specifier %x, expected "
"0x02\n", (int)p[0]));
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBnegprot);
return;
}
p += 1; /* Skip the "0x02" */
tmp = TALLOC_REALLOC_ARRAY(tmp_talloc_ctx(), cliprotos, char *,
num_cliprotos+1);
if (tmp == NULL) {
@ -566,7 +576,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
cliprotos[num_cliprotos]));
num_cliprotos += 1;
p += strlen(p) + 2;
p += strlen(p) + 1;
}
for (i=0; i<num_cliprotos; i++) {