1
0
mirror of https://github.com/samba-team/samba.git synced 2025-07-30 19:42:05 +03:00

Remove pstrings. Ensure we validate offsets.

Jeremy.
(This used to be commit ff06cc34e6)
This commit is contained in:
Jeremy Allison
2007-11-29 13:24:14 -08:00
parent ce2844f30d
commit 42c87fe6e6

View File

@ -1,18 +1,18 @@
/*
/*
Unix SMB/CIFS implementation.
client directory list routines
Copyright (C) Andrew Tridgell 1994-1998
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@ -21,6 +21,22 @@
extern file_info def_finfo;
/****************************************************************************
Calculate a safe next_entry_offset.
****************************************************************************/
static size_t calc_next_entry_offset(const char *base, const char *pdata_end)
{
size_t next_entry_offset = (size_t)IVAL(base,0);
if (next_entry_offset == 0 ||
base + next_entry_offset < base ||
base + next_entry_offset > pdata_end) {
next_entry_offset = pdata_end - base;
}
return next_entry_offset;
}
/****************************************************************************
Interpret a long filename structure - this is mostly guesses at the moment.
The length of the structure is returned
@ -28,12 +44,19 @@ extern file_info def_finfo;
by NT and 2 is used by OS/2
****************************************************************************/
static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,file_info *finfo,
uint32 *p_resume_key, DATA_BLOB *p_last_name_raw, uint32 *p_last_name_raw_len)
static size_t interpret_long_filename(struct cli_state *cli,
int level,
const char *p,
const char *pdata_end,
file_info *finfo,
uint32 *p_resume_key,
DATA_BLOB *p_last_name_raw)
{
file_info finfo2;
int len;
char *base = p;
const char *base = p;
data_blob_free(p_last_name_raw);
if (!finfo) {
finfo = &finfo2;
@ -49,6 +72,9 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
case 1: /* OS/2 understands this */
/* these dates are converted to GMT by
make_unix_date */
if (pdata_end - base < 27) {
return pdata_end - base;
}
finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4));
finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8));
finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12));
@ -57,19 +83,25 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
len = CVAL(p, 26);
p += 27;
p += clistr_align_in(cli, p, 0);
if (p + len + 2 > pdata_end) {
return pdata_end - base;
}
/* the len+2 below looks strange but it is
important to cope with the differences
between win2000 and win9x for this call
(tridge) */
p += clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
len+2,
len+2,
STR_TERMINATE);
return PTR_DIFF(p, base);
case 2: /* this is what OS/2 uses mostly */
/* these dates are converted to GMT by
make_unix_date */
if (pdata_end - base < 31) {
return pdata_end - base;
}
finfo->ctime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+4));
finfo->atime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+8));
finfo->mtime_ts = convert_time_t_to_timespec(cli_make_unix_date2(cli, p+12));
@ -78,22 +110,30 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
len = CVAL(p, 30);
p += 31;
/* check for unisys! */
if (p + len + 1 > pdata_end) {
return pdata_end - base;
}
p += clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
len,
len,
STR_NOALIGN);
return PTR_DIFF(p, base) + 1;
case 260: /* NT uses this, but also accepts 2 */
{
size_t namelen, slen;
if (pdata_end - base < 94) {
return pdata_end - base;
}
p += 4; /* next entry offset */
if (p_resume_key) {
*p_resume_key = IVAL(p,0);
}
p += 4; /* fileindex */
/* Offset zero is "create time", not "change time". */
p += 8;
finfo->atime_ts = interpret_long_date(p);
@ -111,7 +151,11 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
p += 4;
p += 4; /* EA size */
slen = SVAL(p, 0);
p += 2;
if (slen > 24) {
/* Bad short name length. */
return pdata_end - base;
}
p += 2;
{
/* stupid NT bugs. grr */
int flags = 0;
@ -120,7 +164,10 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
sizeof(finfo->short_name),
slen, flags);
}
p += 24; /* short name? */
p += 24; /* short name? */
if (p + namelen < p || p + namelen > pdata_end) {
return pdata_end - base;
}
clistr_pull(cli, finfo->name, p,
sizeof(finfo->name),
namelen, 0);
@ -130,29 +177,24 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
Namelen doesn't include the terminating unicode null, so
copy it here. */
if (p_last_name_raw && p_last_name_raw_len) {
if (namelen + 2 > p_last_name_raw->length) {
memset(p_last_name_raw->data, '\0', sizeof(p_last_name_raw->length));
*p_last_name_raw_len = 0;
} else {
memcpy(p_last_name_raw->data, p, namelen);
SSVAL(p_last_name_raw->data, namelen, 0);
*p_last_name_raw_len = namelen + 2;
}
if (p_last_name_raw) {
*p_last_name_raw = data_blob(NULL, namelen+2);
memcpy(p_last_name_raw->data, p, namelen);
SSVAL(p_last_name_raw->data, namelen, 0);
}
return (size_t)IVAL(base, 0);
return calc_next_entry_offset(base, pdata_end);
}
}
DEBUG(1,("Unknown long filename format %d\n",level));
return (size_t)IVAL(base,0);
return calc_next_entry_offset(base, pdata_end);
}
/****************************************************************************
Do a directory listing, calling fn on each file found.
****************************************************************************/
int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
#if 1
@ -161,8 +203,8 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
int max_matches = 512;
#endif
int info_level;
char *p, *p2;
pstring mask;
char *p, *p2, *rdata_end;
char *mask = NULL;
file_info finfo;
int i;
char *dirlist = NULL;
@ -174,19 +216,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
int ff_dir_handle=0;
int loop_count = 0;
char *rparam=NULL, *rdata=NULL;
unsigned int param_len, data_len;
unsigned int param_len, data_len;
uint16 setup;
pstring param;
char param[1024];
const char *mnt;
uint32 resume_key = 0;
uint32 last_name_raw_len = 0;
DATA_BLOB last_name_raw = data_blob(NULL, 2*sizeof(pstring));
DATA_BLOB last_name_raw = data_blob(NULL, 0);
/* NT uses 260, OS/2 uses 2. Both accept 1. */
info_level = (cli->capabilities&CAP_NT_SMBS)?260:1;
pstrcpy(mask,Mask);
mask = SMB_STRDUP(Mask);
if (!mask) {
return -1;
}
while (ff_eos == 0) {
loop_count++;
if (loop_count > 200) {
@ -199,16 +243,16 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
SSVAL(param,0,attribute); /* attribute */
SSVAL(param,2,max_matches); /* max count */
SSVAL(param,4,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */
SSVAL(param,6,info_level);
SSVAL(param,6,info_level);
SIVAL(param,8,0);
p = param+12;
p += clistr_push(cli, param+12, mask, sizeof(param)-12,
p += clistr_push(cli, param+12, mask, sizeof(param)-12,
STR_TERMINATE);
} else {
setup = TRANSACT2_FINDNEXT;
SSVAL(param,0,ff_dir_handle);
SSVAL(param,2,max_matches); /* max count */
SSVAL(param,4,info_level);
SSVAL(param,4,info_level);
/* For W2K servers serving out FAT filesystems we *must* set the
resume key. If it's not FAT then it's returned as zero. */
SIVAL(param,6,resume_key); /* ff_resume_key */
@ -216,9 +260,9 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
can miss filenames. Use last filename continue instead. JRA */
SSVAL(param,10,(FLAG_TRANS2_FIND_REQUIRE_RESUME|FLAG_TRANS2_FIND_CLOSE_IF_END)); /* resume required + close on end */
p = param+12;
if (last_name_raw_len && (last_name_raw_len < (sizeof(param)-12))) {
memcpy(p, last_name_raw.data, last_name_raw_len);
p += last_name_raw_len;
if (last_name_raw.length && (last_name_raw.length < (sizeof(param)-12))) {
memcpy(p, last_name_raw.data, last_name_raw.length);
p += last_name_raw.length;
} else {
p += clistr_push(cli, param+12, mask, sizeof(param)-12, STR_TERMINATE);
}
@ -226,12 +270,12 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
param_len = PTR_DIFF(p, param);
if (!cli_send_trans(cli, SMBtrans2,
if (!cli_send_trans(cli, SMBtrans2,
NULL, /* Name */
-1, 0, /* fid, flags */
&setup, 1, 0, /* setup, length, max */
param, param_len, 10, /* param, length, max */
NULL, 0,
NULL, 0,
#if 0
/* w2k value. */
MIN(16384,cli->max_xmit) /* data, length, max. */
@ -242,7 +286,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
break;
}
if (!cli_receive_trans(cli, SMBtrans2,
if (!cli_receive_trans(cli, SMBtrans2,
&rparam, &param_len,
&rdata, &data_len) &&
cli_is_dos_error(cli)) {
@ -289,15 +333,21 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
/* point to the data bytes */
p = rdata;
rdata_end = rdata + data_len;
/* we might need the lastname for continuations */
for (p2=p,i=0;i<ff_searchcount;i++) {
for (p2=p,i=0;i<ff_searchcount && p2 < rdata_end;i++) {
if ((info_level == 260) && (i == ff_searchcount-1)) {
/* Last entry - fixup the last offset length. */
SIVAL(p2,0,PTR_DIFF((rdata + data_len),p2));
}
p2 += interpret_long_filename(cli,info_level,p2,&finfo,
&resume_key,&last_name_raw,&last_name_raw_len);
p2 += interpret_long_filename(cli,
info_level,
p2,
rdata_end,
&finfo,
&resume_key,
&last_name_raw);
if (!First && *mask && strcsequal(finfo.name, mask)) {
DEBUG(0,("Error: Looping in FIND_NEXT as name %s has already been seen?\n",
@ -307,10 +357,16 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
}
}
SAFE_FREE(mask);
if (ff_searchcount > 0) {
pstrcpy(mask, finfo.name);
mask = SMB_STRDUP(finfo.name);
} else {
pstrcpy(mask,"");
mask = SMB_STRDUP("");
}
if (!mask) {
SAFE_FREE(rdata);
SAFE_FREE(rparam);
break;
}
/* grab the data for later use */
@ -348,9 +404,15 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
total_received = -1;
} else {
/* no connection problem. let user function add each entry */
rdata_end = dirlist + dirlist_len;
for (p=dirlist,i=0;i<total_received;i++) {
p += interpret_long_filename(cli, info_level, p,
&finfo,NULL,NULL,NULL);
p += interpret_long_filename(cli,
info_level,
p,
rdata_end,
&finfo,
NULL,
NULL);
fn( mnt,&finfo, Mask, state );
}
}
@ -358,6 +420,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
/* free up the dirlist buffer and last name raw blob */
SAFE_FREE(dirlist);
data_blob_free(&last_name_raw);
SAFE_FREE(mask);
return(total_received);
}
@ -373,7 +436,7 @@ static int interpret_short_filename(struct cli_state *cli, char *p,file_info *fi
finfo->cli = cli;
finfo->mode = CVAL(p,21);
/* this date is converted to GMT by make_unix_date */
finfo->ctime_ts.tv_sec = cli_make_unix_date(cli, p+22);
finfo->ctime_ts.tv_nsec = 0;
@ -396,7 +459,7 @@ static int interpret_short_filename(struct cli_state *cli, char *p,file_info *fi
but should otherwise not be used.
****************************************************************************/
int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
char *p;
@ -407,12 +470,15 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
int num_received = 0;
int i;
char *dirlist = NULL;
pstring mask;
char *mask = NULL;
ZERO_ARRAY(status);
pstrcpy(mask,Mask);
mask = SMB_STRDUP(Mask);
if (!mask) {
return -1;
}
while (1) {
memset(cli->outbuf,'\0',smb_size);
memset(cli->inbuf,'\0',smb_size);
@ -426,10 +492,10 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
SSVAL(cli->outbuf,smb_vwv0,num_asked);
SSVAL(cli->outbuf,smb_vwv1,attribute);
p = smb_buf(cli->outbuf);
*p++ = 4;
p += clistr_push(cli, p, first?mask:"", -1, STR_TERMINATE);
*p++ = 5;
if (first) {
@ -455,6 +521,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
dirlist,(num_received + received)*DIR_STRUCT_SIZE);
if (!dirlist) {
DEBUG(0,("cli_list_old: failed to expand dirlist"));
SAFE_FREE(mask);
return 0;
}
@ -462,11 +529,11 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
memcpy(dirlist+num_received*DIR_STRUCT_SIZE,
p,received*DIR_STRUCT_SIZE);
memcpy(status,p + ((received-1)*DIR_STRUCT_SIZE),21);
num_received += received;
if (cli_is_error(cli)) break;
}
@ -491,7 +558,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
p += 2;
memcpy(p,status,21);
p += 21;
cli_setup_bcc(cli, p);
cli_send_smb(cli);
if (!cli_receive_smb(cli)) {
@ -505,6 +572,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
fn("\\", &finfo, Mask, state);
}
SAFE_FREE(mask);
SAFE_FREE(dirlist);
return(num_received);
}
@ -514,7 +582,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
This auto-switches between old and new style.
****************************************************************************/
int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute,
int cli_list(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
if (cli->protocol <= PROTOCOL_LANMAN1)