sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-03 13:47:25 +03:00
Code

r22050: Fix a couple of off-by-one errors in the rap

Browse Source 
call patch. Jerry, this works now for displaying
shares on Win9x (and hopefully everything else
as well :-).
Jeremy.
(This used to be commit 728a4cc71376f9cfff2578d21a47602f8b7c6531)
This commit is contained in:
Jeremy Allison 2007-04-03 04:52:09 +00:00 committed by Gerald (Jerry) Carter
parent d2a57b6393
commit afd637e926
2 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
source3/lib/util.c
View File

@ -3127,6 +3127,8 @@ int this_is_smp(void)
/****************************************************************
Check if an offset into a buffer is safe.
If this returns True it's safe to indirect into the byte at
pointer ptr+off.
****************************************************************/
BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
@ -3180,10 +3182,14 @@ char *get_safe_str_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t o
int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) {
/*
* Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
* NOT ptr[2].
*/
if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
return failval;
}
return SVAL(ptr,0);
return SVAL(ptr,off);
}
/****************************************************************
@ -3192,8 +3198,12 @@ int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, i
int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) {
/*
* Note we use off+3 here, not off+4 as IVAL accesses
* ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
*/
if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
return failval;
}
return IVAL(ptr,0);
return IVAL(ptr,off);
}

18
source3/smbd/lanman.c
View File

@ -2365,7 +2365,11 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid,
memset(pass1,'\0',sizeof(pass1));
memset(pass2,'\0',sizeof(pass2));
if (!is_offset_safe(param,tpscnt,p,32)) {
/*
* We use 31 here not 32 as we're checking
* the last byte we want to access is safe.
*/
if (!is_offset_safe(param,tpscnt,p,31)) {
return False;
}
memcpy(pass1,p,16);
@ -2537,7 +2541,11 @@ static BOOL api_RDosPrintJobDel(connection_struct *conn,uint16 vuid,
if (!str1 || !str2 || !p) {
return False;
}
if (!is_offset_safe(param,tpscnt,p,2)) {
/*
* We use 1 here not 2 as we're checking
* the last byte we want to access is safe.
*/
if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
@ -2701,7 +2709,11 @@ static BOOL api_PrintJobInfo(connection_struct *conn, uint16 vuid,
if (!str1 || !str2 || !p) {
return False;
}
if (!is_offset_safe(param,tpscnt,p,2)) {
/*
* We use 1 here not 2 as we're checking
* the last byte we want to access is safe.
*/
if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))