mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
libcli/smb: fix parsing of compounded messages within a SMB2_TRANSFORM pdu
One SMB2_TRANSFORM pdu wraps multiple SMB2 pdus. We inject the SMB2_TRANSFORM header to each response which was wrapped inside. This allows the next layer to verify if the SMB2 pdu was encrypted. metze
This commit is contained in:
parent
84f6b0f962
commit
7a7e9b1c76
@ -2953,6 +2953,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
|
|||||||
int num_iov = 0;
|
int num_iov = 0;
|
||||||
size_t taken = 0;
|
size_t taken = 0;
|
||||||
uint8_t *first_hdr = buf;
|
uint8_t *first_hdr = buf;
|
||||||
|
size_t verified_buflen = 0;
|
||||||
|
uint8_t *tf = NULL;
|
||||||
|
size_t tf_len = 0;
|
||||||
|
|
||||||
iov = talloc_array(mem_ctx, struct iovec, num_iov);
|
iov = talloc_array(mem_ctx, struct iovec, num_iov);
|
||||||
if (iov == NULL) {
|
if (iov == NULL) {
|
||||||
@ -2960,8 +2963,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
|
|||||||
}
|
}
|
||||||
|
|
||||||
while (taken < buflen) {
|
while (taken < buflen) {
|
||||||
uint8_t *tf = NULL;
|
|
||||||
size_t tf_len = 0;
|
|
||||||
size_t len = buflen - taken;
|
size_t len = buflen - taken;
|
||||||
uint8_t *hdr = first_hdr + taken;
|
uint8_t *hdr = first_hdr + taken;
|
||||||
struct iovec *cur;
|
struct iovec *cur;
|
||||||
@ -2970,6 +2971,13 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
|
|||||||
uint16_t body_size;
|
uint16_t body_size;
|
||||||
struct iovec *iov_tmp;
|
struct iovec *iov_tmp;
|
||||||
|
|
||||||
|
if (verified_buflen > taken) {
|
||||||
|
len = verified_buflen - taken;
|
||||||
|
} else {
|
||||||
|
tf = NULL;
|
||||||
|
tf_len = 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (len < 4) {
|
if (len < 4) {
|
||||||
DEBUG(10, ("%d bytes left, expected at least %d\n",
|
DEBUG(10, ("%d bytes left, expected at least %d\n",
|
||||||
(int)len, 4));
|
(int)len, 4));
|
||||||
@ -3020,6 +3028,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
|
|||||||
TALLOC_FREE(iov);
|
TALLOC_FREE(iov);
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
verified_buflen = taken + len;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -3053,9 +3063,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
|
|||||||
if (next_command_ofs > full_size) {
|
if (next_command_ofs > full_size) {
|
||||||
goto inval;
|
goto inval;
|
||||||
}
|
}
|
||||||
if (tf && next_command_ofs < len) {
|
|
||||||
goto inval;
|
|
||||||
}
|
|
||||||
full_size = next_command_ofs;
|
full_size = next_command_ofs;
|
||||||
}
|
}
|
||||||
if (body_size < 2) {
|
if (body_size < 2) {
|
||||||
|
Loading…
Reference in New Issue
Block a user