mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
libcli/smb: fix padding in smb2_create_blob*
metze
This commit is contained in:
Stefan Metzmacher
parent
98d90c02f0
commit
aa5caf1fe9
@ -61,10 +61,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
|
|||||||
|
|
||||||
if ((next & 0x7) != 0 ||
|
if ((next & 0x7) != 0 ||
|
||||||
next > remaining ||
|
next > remaining ||
|
||||||
name_offset < 16 ||
|
name_offset != 16 ||
|
||||||
name_offset > remaining ||
|
name_length < 4 ||
|
||||||
name_length != 4 || /* windows enforces this */
|
|
||||||
name_offset + name_length > remaining ||
|
name_offset + name_length > remaining ||
|
||||||
|
(data_offset & 0x7) != 0 ||
|
||||||
(data_offset && (data_offset < name_offset + name_length)) ||
|
(data_offset && (data_offset < name_offset + name_length)) ||
|
||||||
(data_offset && (data_offset > remaining)) ||
|
(data_offset && (data_offset > remaining)) ||
|
||||||
(data_offset && data_length &&
|
(data_offset && data_length &&
|
||||||
@ -108,25 +108,44 @@ static NTSTATUS smb2_create_blob_push_one(TALLOC_CTX *mem_ctx, DATA_BLOB *buffer
|
|||||||
{
|
{
|
||||||
uint32_t ofs = buffer->length;
|
uint32_t ofs = buffer->length;
|
||||||
size_t tag_length = strlen(blob->tag);
|
size_t tag_length = strlen(blob->tag);
|
||||||
uint8_t pad = smb2_create_blob_padding(blob->data.length+tag_length, 4);
|
size_t blob_offset = 0;
|
||||||
|
size_t blob_pad = 0;
|
||||||
|
size_t next_offset = 0;
|
||||||
|
size_t next_pad = 0;
|
||||||
|
bool ok;
|
||||||
|
|
||||||
if (!data_blob_realloc(mem_ctx, buffer,
|
blob_offset = 0x14 + tag_length;
|
||||||
buffer->length + 0x14 + tag_length + blob->data.length + pad))
|
blob_pad = smb2_create_blob_padding(blob_offset, 8);
|
||||||
|
next_offset = blob_offset + blob_pad + blob->data.length;
|
||||||
|
if (!last) {
|
||||||
|
next_pad = smb2_create_blob_padding(next_offset, 8);
|
||||||
|
}
|
||||||
|
|
||||||
|
ok = data_blob_realloc(mem_ctx, buffer,
|
||||||
|
buffer->length + next_offset + next_pad);
|
||||||
|
if (!ok) {
|
||||||
return NT_STATUS_NO_MEMORY;
|
return NT_STATUS_NO_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
if (last) {
|
if (last) {
|
||||||
SIVAL(buffer->data, ofs+0x00, 0);
|
SIVAL(buffer->data, ofs+0x00, 0);
|
||||||
} else {
|
} else {
|
||||||
SIVAL(buffer->data, ofs+0x00, 0x14 + tag_length + blob->data.length + pad);
|
SIVAL(buffer->data, ofs+0x00, next_offset + next_pad);
|
||||||
}
|
}
|
||||||
SSVAL(buffer->data, ofs+0x04, 0x10); /* offset of tag */
|
SSVAL(buffer->data, ofs+0x04, 0x10); /* offset of tag */
|
||||||
SIVAL(buffer->data, ofs+0x06, tag_length); /* tag length */
|
SIVAL(buffer->data, ofs+0x06, tag_length); /* tag length */
|
||||||
SSVAL(buffer->data, ofs+0x0A, 0x14 + tag_length); /* offset of data */
|
SSVAL(buffer->data, ofs+0x0A, blob_offset + blob_pad); /* offset of data */
|
||||||
SIVAL(buffer->data, ofs+0x0C, blob->data.length);
|
SIVAL(buffer->data, ofs+0x0C, blob->data.length);
|
||||||
memcpy(buffer->data+ofs+0x10, blob->tag, tag_length);
|
memcpy(buffer->data+ofs+0x10, blob->tag, tag_length);
|
||||||
SIVAL(buffer->data, ofs+0x10+tag_length, 0); /* pad? */
|
if (blob_pad > 0) {
|
||||||
memcpy(buffer->data+ofs+0x14+tag_length, blob->data.data, blob->data.length);
|
memset(buffer->data+ofs+blob_offset, 0, blob_pad);
|
||||||
memset(buffer->data+ofs+0x14+tag_length+blob->data.length, 0, pad);
|
blob_offset += blob_pad;
|
||||||
|
}
|
||||||
|
memcpy(buffer->data+ofs+blob_offset, blob->data.data, blob->data.length);
|
||||||
|
if (next_pad > 0) {
|
||||||
|
memset(buffer->data+ofs+next_offset, 0, next_pad);
|
||||||
|
next_offset += next_pad;
|
||||||
|
}
|
||||||
|
|
||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user