libcli/smb: fix parsing of compounded messages within a SMB2_TRANSFORM pdu

One SMB2_TRANSFORM pdu wraps multiple SMB2 pdus.

We inject the SMB2_TRANSFORM header to each response which was wrapped
inside. This allows the next layer to verify if the SMB2 pdu was encrypted.

metze

libcli/smb/smbXcli_base.c

@@ -2953,6 +2953,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
 	int num_iov = 0;
 	size_t taken = 0;
 	uint8_t *first_hdr = buf;
+	size_t verified_buflen = 0;
+	uint8_t *tf = NULL;
+	size_t tf_len = 0;
 
 	iov = talloc_array(mem_ctx, struct iovec, num_iov);
 	if (iov == NULL) {
@@ -2960,8 +2963,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
 	}
 
 	while (taken < buflen) {
-		uint8_t *tf = NULL;
-		size_t tf_len = 0;
 		size_t len = buflen - taken;
 		uint8_t *hdr = first_hdr + taken;
 		struct iovec *cur;
@@ -2970,6 +2971,13 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
 		uint16_t body_size;
 		struct iovec *iov_tmp;
 
+		if (verified_buflen > taken) {
+			len = verified_buflen - taken;
+		} else {
+			tf = NULL;
+			tf_len = 0;
+		}
+
 		if (len < 4) {
 			DEBUG(10, ("%d bytes left, expected at least %d\n",
 				   (int)len, 4));
@@ -3020,6 +3028,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
 				TALLOC_FREE(iov);
 				return status;
 			}
+
+			verified_buflen = taken + len;
 		}
 
 		/*
@@ -3053,9 +3063,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
 			if (next_command_ofs > full_size) {
 				goto inval;
 			}
-			if (tf && next_command_ofs < len) {
-				goto inval;
-			}
 			full_size = next_command_ofs;
 		}
 		if (body_size < 2) {