mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Fixes to check for wraps which could cause coredumps.
Jeremy.
This commit is contained in:
parent
a38ab77b70
commit
ad06edd1bb
@ -258,6 +258,7 @@ BOOL fetch_ldap_pw(char **dn, char** pw)
|
||||
return False;
|
||||
}
|
||||
|
||||
size = MIN(size, sizeof(fstring)-1);
|
||||
strncpy(old_style_pw, data, size);
|
||||
old_style_pw[size] = 0;
|
||||
|
||||
|
@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli,
|
||||
|
||||
case 260: /* NT uses this, but also accepts 2 */
|
||||
{
|
||||
int namelen, slen;
|
||||
size_t namelen, slen;
|
||||
p += 4; /* next entry offset */
|
||||
p += 4; /* fileindex */
|
||||
|
||||
|
@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
|
||||
*ps = smb_xstrdup("");
|
||||
} else {
|
||||
/* make sure its in the right format - be strict */
|
||||
if (len1 != len2 || ptr + len1 > blob->length) {
|
||||
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
|
||||
return False;
|
||||
}
|
||||
if (len1 & 1) {
|
||||
@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
|
||||
if (len1 == 0 && len2 == 0) {
|
||||
*ps = smb_xstrdup("");
|
||||
} else {
|
||||
if (len1 != len2 || ptr + len1 > blob->length) {
|
||||
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
|
||||
*b = data_blob(NULL, 0);
|
||||
} else {
|
||||
/* make sure its in the right format - be strict */
|
||||
if (len1 != len2 || ptr + len1 > blob->length) {
|
||||
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
|
||||
return False;
|
||||
}
|
||||
*b = data_blob(blob->data + ptr, len1);
|
||||
@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
|
||||
|
||||
return True;
|
||||
}
|
||||
|
||||
|
@ -491,6 +491,8 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
|
||||
|
||||
/* Domain SID */
|
||||
|
||||
#if 0
|
||||
/* We must range check this. */
|
||||
q += IVAL(q, 0) + 4; /* 4 byte length plus data */
|
||||
|
||||
q += 2; /* Alignment? */
|
||||
@ -500,6 +502,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
|
||||
q += 4; /* NT version (0x1) */
|
||||
q += 2; /* LMNT token (0xff) */
|
||||
q += 2; /* LM20 token (0xff) */
|
||||
#endif
|
||||
|
||||
SAFE_FREE(db_info); /* Not sure whether we need to do anything useful with these */
|
||||
|
||||
|
@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
|
||||
static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
|
||||
{
|
||||
int i;
|
||||
char *buf;
|
||||
char *buf = NULL;
|
||||
ssize_t byte_count;
|
||||
|
||||
if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
|
||||
@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
|
||||
|
||||
/* The header may be a PE (Portable Executable) or an NE (New Executable) */
|
||||
if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
|
||||
int num_sections;
|
||||
int section_table_bytes;
|
||||
unsigned int num_sections;
|
||||
unsigned int section_table_bytes;
|
||||
|
||||
if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
|
||||
DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
|
||||
@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
|
||||
/* get the section table */
|
||||
num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
|
||||
section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
|
||||
if (section_table_bytes == 0)
|
||||
goto error_exit;
|
||||
|
||||
SAFE_FREE(buf);
|
||||
if ((buf=malloc(section_table_bytes)) == NULL) {
|
||||
DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
|
||||
@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
|
||||
int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
|
||||
|
||||
if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
|
||||
int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
|
||||
int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
|
||||
unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
|
||||
unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
|
||||
|
||||
if (section_bytes == 0)
|
||||
goto error_exit;
|
||||
|
||||
SAFE_FREE(buf);
|
||||
if ((buf=malloc(section_bytes)) == NULL) {
|
||||
@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
|
||||
goto error_exit;
|
||||
|
||||
for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
|
||||
/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
|
||||
if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {
|
||||
|
@ -669,10 +669,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
|
||||
time_t date;
|
||||
int dirtype;
|
||||
int outsize = 0;
|
||||
int numentries = 0;
|
||||
unsigned int numentries = 0;
|
||||
unsigned int maxentries = 0;
|
||||
BOOL finished = False;
|
||||
int maxentries;
|
||||
int i;
|
||||
char *p;
|
||||
BOOL ok = False;
|
||||
int status_len;
|
||||
@ -786,6 +785,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
|
||||
numentries = 0;
|
||||
p += DIR_STRUCT_SIZE;
|
||||
} else {
|
||||
unsigned int i;
|
||||
maxentries = MIN(maxentries, ((BUFFER_SIZE - (p - outbuf))/DIR_STRUCT_SIZE));
|
||||
|
||||
DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n",
|
||||
conn->dirpath,lp_dontdescend(SNUM(conn))));
|
||||
if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True))
|
||||
@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
|
||||
if ((! *directory) && dptr_path(dptr_num))
|
||||
slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
|
||||
|
||||
DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n",
|
||||
DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n",
|
||||
smb_fn_name(CVAL(inbuf,smb_com)),
|
||||
mask, directory, dirtype, numentries, maxentries ) );
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user