diff -urN samba-2.2.7a/source/include/client.h samba-2.2.7-ibm/source/include/client.h --- samba-2.2.7a/source/include/client.h 2002-12-12 01:55:42.000000000 +1100 +++ samba-2.2.7-ibm/source/include/client.h 2003-03-18 13:34:39.000000000 +1100 @@ -103,7 +103,7 @@ int max_mux; char *outbuf; char *inbuf; - int bufsize; + unsigned int bufsize; int initialised; int win95; uint32 capabilities; diff -urN samba-2.2.7a/source/libsmb/clifile.c samba-2.2.7-ibm/source/libsmb/clifile.c --- samba-2.2.7a/source/libsmb/clifile.c 2002-06-07 23:41:26.000000000 +1000 +++ samba-2.2.7-ibm/source/libsmb/clifile.c 2003-03-18 15:52:13.000000000 +1100 @@ -30,8 +30,8 @@ static BOOL cli_link_internal(struct cli_state *cli, const char *fname_src, const char *fname_dst, BOOL hard_link) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_SETPATHINFO; char param[sizeof(pstring)+6]; pstring data; @@ -124,8 +124,8 @@ static BOOL cli_unix_chmod_chown_internal(struct cli_state *cli, const char *fname, uint32 mode, uint32 uid, uint32 gid) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_SETPATHINFO; char param[sizeof(pstring)+6]; char data[100]; @@ -336,8 +336,8 @@ int cli_nt_delete_on_close(struct cli_state *cli, int fnum, BOOL flag) { - int data_len = 1; - int param_len = 6; + unsigned int data_len = 1; + unsigned int param_len = 6; uint16 setup = TRANSACT2_SETFILEINFO; pstring param; unsigned char data; @@ -806,7 +806,7 @@ ****************************************************************************/ BOOL cli_getattrE(struct cli_state *cli, int fd, - uint16 *attr, size_t *size, + uint16 *attr, SMB_BIG_UINT *size, time_t *c_time, time_t *a_time, time_t *m_time) { memset(cli->outbuf,'\0',smb_size); diff -urN samba-2.2.7a/source/libsmb/clilist.c samba-2.2.7-ibm/source/libsmb/clilist.c --- samba-2.2.7a/source/libsmb/clilist.c 2002-12-12 01:55:42.000000000 +1100 +++ samba-2.2.7-ibm/source/libsmb/clilist.c 2003-03-18 13:34:39.000000000 +1100 @@ -152,7 +152,7 @@ int ff_dir_handle=0; int loop_count = 0; char *rparam=NULL, *rdata=NULL; - int param_len, data_len; + unsigned int param_len, data_len; uint16 setup; pstring param; diff -urN samba-2.2.7a/source/libsmb/clirap.c samba-2.2.7-ibm/source/libsmb/clirap.c --- samba-2.2.7a/source/libsmb/clirap.c 2002-06-07 23:41:26.000000000 +1000 +++ samba-2.2.7-ibm/source/libsmb/clirap.c 2003-03-18 15:40:03.000000000 +1100 @@ -42,8 +42,8 @@ data, data_count, max_data_count); return (cli_receive_trans(cli, SMBtrans, - rparam, (int *)rparam_count, - rdata, (int *)rdata_count)); + rparam, (unsigned int *)rparam_count, + rdata, (unsigned int *)rdata_count)); } /**************************************************************************** @@ -52,8 +52,8 @@ BOOL cli_api(struct cli_state *cli, char *param, int prcnt, int mprcnt, char *data, int drcnt, int mdrcnt, - char **rparam, int *rprcnt, - char **rdata, int *rdrcnt) + char **rparam, unsigned int *rprcnt, + char **rdata, unsigned int *rdrcnt) { cli_send_trans(cli,SMBtrans, PIPE_LANMAN, /* Name */ @@ -289,8 +289,8 @@ fstring upper_case_new_pw; unsigned char old_pw_hash[16]; unsigned char new_pw_hash[16]; - int data_len; - int param_len = 0; + unsigned int data_len; + unsigned int param_len = 0; char *rparam = NULL; char *rdata = NULL; int rprcnt, rdrcnt; @@ -372,8 +372,8 @@ time_t *c_time, time_t *a_time, time_t *m_time, size_t *size, uint16 *mode) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_QPATHINFO; pstring param; char *rparam=NULL, *rdata=NULL; @@ -451,8 +451,8 @@ time_t *w_time, size_t *size, uint16 *mode, SMB_INO_T *ino) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_QPATHINFO; pstring param; char *rparam=NULL, *rdata=NULL; @@ -522,8 +522,8 @@ time_t *c_time, time_t *a_time, time_t *m_time, time_t *w_time, SMB_INO_T *ino) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_QFILEINFO; pstring param; char *rparam=NULL, *rdata=NULL; @@ -590,8 +590,8 @@ ****************************************************************************/ BOOL cli_qfileinfo_test(struct cli_state *cli, int fnum, int level, char *outdata) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_QFILEINFO; pstring param; char *rparam=NULL, *rdata=NULL; @@ -635,8 +635,8 @@ NTSTATUS cli_qpathinfo_alt_name(struct cli_state *cli, const char *fname, fstring alt_name) { - int data_len = 0; - int param_len = 0; + unsigned int data_len = 0; + unsigned int param_len = 0; uint16 setup = TRANSACT2_QPATHINFO; pstring param; char *rparam=NULL, *rdata=NULL; diff -urN samba-2.2.7a/source/libsmb/clitrans.c samba-2.2.7-ibm/source/libsmb/clitrans.c --- samba-2.2.7a/source/libsmb/clitrans.c 2002-06-07 23:41:27.000000000 +1000 +++ samba-2.2.7-ibm/source/libsmb/clitrans.c 2003-03-18 15:53:18.000000000 +1100 @@ -26,17 +26,17 @@ /**************************************************************************** send a SMB trans or trans2 request - ****************************************************************************/ +****************************************************************************/ BOOL cli_send_trans(struct cli_state *cli, int trans, const char *pipe_name, int fid, int flags, - uint16 *setup, int lsetup, int msetup, - char *param, int lparam, int mparam, - char *data, int ldata, int mdata) + uint16 *setup, unsigned int lsetup, unsigned int msetup, + char *param, unsigned int lparam, unsigned int mparam, + char *data, unsigned int ldata, unsigned int mdata) { int i; - int this_ldata,this_lparam; - int tot_data=0,tot_param=0; + unsigned int this_ldata,this_lparam; + unsigned int tot_data=0,tot_param=0; char *outdata,*outparam; char *p; int pipe_name_len=0; @@ -84,7 +84,8 @@ cli_setup_bcc(cli, outdata+this_ldata); show_msg(cli->outbuf); - cli_send_smb(cli); + if (!cli_send_smb(cli)) + return False; if (this_ldata < ldata || this_lparam < lparam) { /* receive interim response */ @@ -124,7 +125,8 @@ cli_setup_bcc(cli, outdata+this_ldata); show_msg(cli->outbuf); - cli_send_smb(cli); + if (!cli_send_smb(cli)) + return False; tot_data += this_ldata; tot_param += this_lparam; @@ -139,12 +141,12 @@ receive a SMB trans or trans2 response allocating the necessary memory ****************************************************************************/ BOOL cli_receive_trans(struct cli_state *cli,int trans, - char **param, int *param_len, - char **data, int *data_len) + char **param, unsigned int *param_len, + char **data, unsigned int *data_len) { - int total_data=0; - int total_param=0; - int this_data,this_param; + unsigned int total_data=0; + unsigned int total_param=0; + unsigned int this_data,this_param; NTSTATUS status; char *tdata; char *tparam; @@ -210,21 +212,59 @@ return False; } - if (this_data) - memcpy(*data + SVAL(cli->inbuf,smb_drdisp), - smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_droff), - this_data); - if (this_param) - memcpy(*param + SVAL(cli->inbuf,smb_prdisp), - smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_proff), - this_param); + if (this_data + *data_len < this_data || + this_data + *data_len < *data_len || + this_param + *param_len < this_param || + this_param + *param_len < *param_len) { + DEBUG(1,("Data overflow in cli_receive_trans\n")); + return False; + } + + if (this_data) { + unsigned int data_offset_out = SVAL(cli->inbuf,smb_drdisp); + unsigned int data_offset_in = SVAL(cli->inbuf,smb_droff); + + if (data_offset_out > total_data || + data_offset_out + this_data > total_data || + data_offset_out + this_data < data_offset_out || + data_offset_out + this_data < this_data) { + DEBUG(1,("Data overflow in cli_receive_trans\n")); + return False; + } + if (data_offset_in > cli->bufsize || + data_offset_in + this_data > cli->bufsize || + data_offset_in + this_data < data_offset_in || + data_offset_in + this_data < this_data) { + DEBUG(1,("Data overflow in cli_receive_trans\n")); + return False; + } + + memcpy(*data + data_offset_out, smb_base(cli->inbuf) + data_offset_in, this_data); + } + if (this_param) { + unsigned int param_offset_out = SVAL(cli->inbuf,smb_prdisp); + unsigned int param_offset_in = SVAL(cli->inbuf,smb_proff); + + if (param_offset_out > total_param || + param_offset_out + this_param > total_param || + param_offset_out + this_param < param_offset_out || + param_offset_out + this_param < this_param) { + DEBUG(1,("Param overflow in cli_receive_trans\n")); + return False; + } + if (param_offset_in > cli->bufsize || + param_offset_in + this_param > cli->bufsize || + param_offset_in + this_param < param_offset_in || + param_offset_in + this_param < this_param) { + DEBUG(1,("Param overflow in cli_receive_trans\n")); + return False; + } + + memcpy(*param + param_offset_out, smb_base(cli->inbuf) + param_offset_in, this_param); + } *data_len += this_data; *param_len += this_param; - /* parse out the total lengths again - they can shrink! */ - total_data = SVAL(cli->inbuf,smb_tdrcnt); - total_param = SVAL(cli->inbuf,smb_tprcnt); - if (total_data <= *data_len && total_param <= *param_len) break; @@ -243,6 +283,16 @@ if (NT_STATUS_IS_ERR(cli_nt_error(cli))) { return(False); } + + /* parse out the total lengths again - they can shrink! */ + if (SVAL(cli->inbuf,smb_tdrcnt) < total_data) + total_data = SVAL(cli->inbuf,smb_tdrcnt); + if (SVAL(cli->inbuf,smb_tprcnt) < total_param) + total_param = SVAL(cli->inbuf,smb_tprcnt); + + if (total_data <= *data_len && total_param <= *param_len) + break; + } return(True); @@ -257,13 +307,13 @@ BOOL cli_send_nt_trans(struct cli_state *cli, int function, int flags, - uint16 *setup, int lsetup, int msetup, - char *param, int lparam, int mparam, - char *data, int ldata, int mdata) + uint16 *setup, unsigned int lsetup, unsigned int msetup, + char *param, unsigned int lparam, unsigned int mparam, + char *data, unsigned int ldata, unsigned int mdata) { - int i; - int this_ldata,this_lparam; - int tot_data=0,tot_param=0; + unsigned int i; + unsigned int this_ldata,this_lparam; + unsigned int tot_data=0,tot_param=0; char *outdata,*outparam; this_lparam = MIN(lparam,cli->max_xmit - (500+lsetup*2)); /* hack */ @@ -302,7 +352,8 @@ cli_setup_bcc(cli, outdata+this_ldata); show_msg(cli->outbuf); - cli_send_smb(cli); + if (!cli_send_smb(cli)) + return False; if (this_ldata < ldata || this_lparam < lparam) { /* receive interim response */ @@ -341,7 +392,8 @@ cli_setup_bcc(cli, outdata+this_ldata); show_msg(cli->outbuf); - cli_send_smb(cli); + if (!cli_send_smb(cli)) + return False; tot_data += this_ldata; tot_param += this_lparam; @@ -357,12 +409,12 @@ receive a SMB nttrans response allocating the necessary memory ****************************************************************************/ BOOL cli_receive_nt_trans(struct cli_state *cli, - char **param, int *param_len, - char **data, int *data_len) + char **param, unsigned int *param_len, + char **data, unsigned int *data_len) { - int total_data=0; - int total_param=0; - int this_data,this_param; + unsigned int total_data=0; + unsigned int total_param=0; + unsigned int this_data,this_param; uint8 eclass; uint32 ecode; char *tdata; @@ -424,25 +476,65 @@ if (this_data + *data_len > total_data || this_param + *param_len > total_param) { - DEBUG(1,("Data overflow in cli_receive_trans\n")); + DEBUG(1,("Data overflow in cli_receive_nt_trans\n")); + return False; + } + + if (this_data + *data_len < this_data || + this_data + *data_len < *data_len || + this_param + *param_len < this_param || + this_param + *param_len < *param_len) { + DEBUG(1,("Data overflow in cli_receive_nt_trans\n")); return False; } - if (this_data) - memcpy(*data + SVAL(cli->inbuf,smb_ntr_DataDisplacement), - smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_ntr_DataOffset), - this_data); - if (this_param) - memcpy(*param + SVAL(cli->inbuf,smb_ntr_ParameterDisplacement), - smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_ntr_ParameterOffset), - this_param); + if (this_data) { + unsigned int data_offset_out = SVAL(cli->inbuf,smb_ntr_DataDisplacement); + unsigned int data_offset_in = SVAL(cli->inbuf,smb_ntr_DataOffset); + + if (data_offset_out > total_data || + data_offset_out + this_data > total_data || + data_offset_out + this_data < data_offset_out || + data_offset_out + this_data < this_data) { + DEBUG(1,("Data overflow in cli_receive_nt_trans\n")); + return False; + } + if (data_offset_in > cli->bufsize || + data_offset_in + this_data > cli->bufsize || + data_offset_in + this_data < data_offset_in || + data_offset_in + this_data < this_data) { + DEBUG(1,("Data overflow in cli_receive_nt_trans\n")); + return False; + } + + memcpy(*data + data_offset_out, smb_base(cli->inbuf) + data_offset_in, this_data); + } + + if (this_param) { + unsigned int param_offset_out = SVAL(cli->inbuf,smb_ntr_ParameterDisplacement); + unsigned int param_offset_in = SVAL(cli->inbuf,smb_ntr_ParameterOffset); + + if (param_offset_out > total_param || + param_offset_out + this_param > total_param || + param_offset_out + this_param < param_offset_out || + param_offset_out + this_param < this_param) { + DEBUG(1,("Param overflow in cli_receive_nt_trans\n")); + return False; + } + if (param_offset_in > cli->bufsize || + param_offset_in + this_param > cli->bufsize || + param_offset_in + this_param < param_offset_in || + param_offset_in + this_param < this_param) { + DEBUG(1,("Param overflow in cli_receive_nt_trans\n")); + return False; + } + + memcpy(*param + param_offset_out, smb_base(cli->inbuf) + param_offset_in, this_param); + } + *data_len += this_data; *param_len += this_param; - /* parse out the total lengths again - they can shrink! */ - total_data = SVAL(cli->inbuf,smb_ntr_TotalDataCount); - total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount); - if (total_data <= *data_len && total_param <= *param_len) break; @@ -463,6 +555,14 @@ !(eclass == ERRDOS && ecode == ERRmoredata)) return(False); } + /* parse out the total lengths again - they can shrink! */ + if (SVAL(cli->inbuf,smb_ntr_TotalDataCount) < total_data) + total_data = SVAL(cli->inbuf,smb_ntr_TotalDataCount); + if (SVAL(cli->inbuf,smb_ntr_TotalParameterCount) < total_param) + total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount); + + if (total_data <= *data_len && total_param <= *param_len) + break; } return(True); diff -urN samba-2.2.7a/source/locking/locking.c samba-2.2.7-ibm/source/locking/locking.c --- samba-2.2.7a/source/locking/locking.c 2002-12-11 01:58:15.000000000 +1100 +++ samba-2.2.7-ibm/source/locking/locking.c 2003-03-18 13:51:31.000000000 +1100 @@ -674,6 +674,7 @@ /* read in the existing share modes if any */ dbuf = tdb_fetch(tdb, locking_key_fsp(fsp)); if (!dbuf.dptr) { + size_t offset; /* we'll need to create a new record */ pstring fname; @@ -691,7 +692,8 @@ DEBUG(10,("set_share_mode: creating entry for file %s. num_share_modes = 1\n", fsp->fsp_name )); - pstrcpy(p + sizeof(*data) + sizeof(share_mode_entry), fname); + offset = sizeof(*data) + sizeof(share_mode_entry); + safe_strcpy(p + offset, fname, size - offset - 1); fill_share_mode(p + sizeof(*data), fsp, port, op_type); dbuf.dptr = p; dbuf.dsize = size; diff -urN samba-2.2.7a/source/smbd/ipc.c samba-2.2.7-ibm/source/smbd/ipc.c --- samba-2.2.7a/source/smbd/ipc.c 2002-02-02 09:14:43.000000000 +1100 +++ samba-2.2.7-ibm/source/smbd/ipc.c 2003-03-18 13:34:39.000000000 +1100 @@ -368,52 +368,69 @@ uint16 *setup=NULL; int outsize = 0; uint16 vuid = SVAL(inbuf,smb_uid); - int tpscnt = SVAL(inbuf,smb_vwv0); - int tdscnt = SVAL(inbuf,smb_vwv1); - int mprcnt = SVAL(inbuf,smb_vwv2); - int mdrcnt = SVAL(inbuf,smb_vwv3); - int msrcnt = CVAL(inbuf,smb_vwv4); + unsigned int tpscnt = SVAL(inbuf,smb_vwv0); + unsigned int tdscnt = SVAL(inbuf,smb_vwv1); + unsigned int mprcnt = SVAL(inbuf,smb_vwv2); + unsigned int mdrcnt = SVAL(inbuf,smb_vwv3); + unsigned int msrcnt = CVAL(inbuf,smb_vwv4); BOOL close_on_completion = BITSETW(inbuf+smb_vwv5,0); BOOL one_way = BITSETW(inbuf+smb_vwv5,1); - int pscnt = SVAL(inbuf,smb_vwv9); - int psoff = SVAL(inbuf,smb_vwv10); - int dscnt = SVAL(inbuf,smb_vwv11); - int dsoff = SVAL(inbuf,smb_vwv12); - int suwcnt = CVAL(inbuf,smb_vwv13); + unsigned int pscnt = SVAL(inbuf,smb_vwv9); + unsigned int psoff = SVAL(inbuf,smb_vwv10); + unsigned int dscnt = SVAL(inbuf,smb_vwv11); + unsigned int dsoff = SVAL(inbuf,smb_vwv12); + unsigned int suwcnt = CVAL(inbuf,smb_vwv13); START_PROFILE(SMBtrans); memset(name, '\0',sizeof(name)); fstrcpy(name,smb_buf(inbuf)); - if (dscnt > tdscnt || pscnt > tpscnt) { - exit_server("invalid trans parameters\n"); - } + if (dscnt > tdscnt || pscnt > tpscnt) + goto bad_param; if (tdscnt) { if((data = (char *)malloc(tdscnt)) == NULL) { - DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt)); + DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt)); END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) + goto bad_param; + if (smb_base(inbuf)+dsoff+dscnt > inbuf + size) + goto bad_param; + memcpy(data,smb_base(inbuf)+dsoff,dscnt); } if (tpscnt) { if((params = (char *)malloc(tpscnt)) == NULL) { - DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); + DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt)); + SAFE_FREE(data); END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) + goto bad_param; + if (smb_base(inbuf)+psoff+pscnt > inbuf + size) + goto bad_param; + memcpy(params,smb_base(inbuf)+psoff,pscnt); } if (suwcnt) { int i; if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) { - DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16)))); - END_PROFILE(SMBtrans); - return(ERROR_DOS(ERRDOS,ERRnomem)); - } + DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16)))); + SAFE_FREE(data); + SAFE_FREE(params); + END_PROFILE(SMBtrans); + return(ERROR_DOS(ERRDOS,ERRnomem)); + } + if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size) + goto bad_param; + if ((smb_vwv14+(suwcnt*SIZEOFWORD) < smb_vwv14) || (smb_vwv14+(suwcnt*SIZEOFWORD) < (suwcnt*SIZEOFWORD))) + goto bad_param; + for (i=0;i tdscnt || pscnt > tpscnt) { - exit_server("invalid trans parameters\n"); - } + if (dscnt > tdscnt || pscnt > tpscnt) + goto bad_param; - if (pcnt) + if (pcnt) { + if (pdisp+pcnt >= tpscnt) + goto bad_param; + if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) + goto bad_param; + if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) + goto bad_param; + if (params + pdisp < params) + goto bad_param; + memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt); - if (dcnt) + } + + if (dcnt) { + if (ddisp+dcnt >= tdscnt) + goto bad_param; + if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) + goto bad_param; + if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) + goto bad_param; + if (data + ddisp < data) + goto bad_param; + memcpy(data+ddisp,smb_base(inbuf)+doff,dcnt); + } } - DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n", + DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n", name,tdscnt,tpscnt,suwcnt)); /* @@ -525,4 +565,14 @@ END_PROFILE(SMBtrans); return(outsize); + + + bad_param: + + DEBUG(0,("reply_trans: invalid trans parameters\n")); + SAFE_FREE(data); + SAFE_FREE(params); + SAFE_FREE(setup); + END_PROFILE(SMBtrans); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); } diff -urN samba-2.2.7a/source/smbd/mangle_map.c samba-2.2.7-ibm/source/smbd/mangle_map.c --- samba-2.2.7a/source/smbd/mangle_map.c 2002-12-11 01:58:17.000000000 +1100 +++ samba-2.2.7-ibm/source/smbd/mangle_map.c 2003-03-18 13:34:39.000000000 +1100 @@ -150,36 +150,45 @@ } DEBUG( 5, ("End of first in pair '%s'\n", end) ); if( (match_string = map_filename( s, start, end-start )) ) { + int size_left = sizeof(new_string) - 1; DEBUG( 5, ("Found a match\n") ); /* Found a match. */ start = end + 1; /* Point to start of what it is to become. */ DEBUG( 5, ("Start of second in pair '%s'\n", start) ); end = start; np = new_string; - while( (*end) /* Not the end of string. */ + while( (*end && size_left > 0) /* Not the end of string. */ && (*end != ')') /* Not the end of the pattern. */ - && (*end != '*') ) /* Not a wildcard. */ + && (*end != '*') ) { /* Not a wildcard. */ *np++ = *end++; + size_left--; + } if( !*end ) { start = end; continue; /* Always check for the end. */ } if( *end == '*' ) { - pstrcpy( np, match_string ); + if (size_left > 0 ) + safe_strcpy( np, match_string, size_left ); np += strlen( match_string ); + size_left -= strlen( match_string ); end++; /* Skip the '*' */ - while ((*end) /* Not the end of string. */ + while ((*end && size_left > 0) /* Not the end of string. */ && (*end != ')') /* Not the end of the pattern. */ - && (*end != '*'))/* Not a wildcard. */ + && (*end != '*')) { /* Not a wildcard. */ *np++ = *end++; + size_left--; + } } if (!*end) { start = end; continue; /* Always check for the end. */ } - *np++ = '\0'; /* NULL terminate it. */ + if (size_left > 0) + *np++ = '\0'; /* NULL terminate it. */ DEBUG(5,("End of second in pair '%s'\n", end)); + new_string[sizeof(new_string)-1] = '\0'; pstrcpy( s, new_string ); /* Substitute with the new name. */ DEBUG( 5, ("s is now '%s'\n", s) ); } diff -urN samba-2.2.7a/source/smbd/nttrans.c samba-2.2.7-ibm/source/smbd/nttrans.c --- samba-2.2.7a/source/smbd/nttrans.c 2002-12-05 04:16:36.000000000 +1100 +++ samba-2.2.7-ibm/source/smbd/nttrans.c 2003-03-18 16:14:18.000000000 +1100 @@ -1917,66 +1917,118 @@ num_params_sofar = parameter_count; num_data_sofar = data_count; - if (parameter_count > total_parameter_count || data_count > total_data_count) - exit_server("reply_nttrans: invalid sizes in packet."); + if (parameter_count > total_parameter_count || data_count > total_data_count) + goto bad_param; - if(setup) { - memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count); - DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count)); - dump_data(10, setup, setup_count); - } - if(params) { - memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); - DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count)); - dump_data(10, params, parameter_count); - } - if(data) { - memcpy( data, smb_base(inbuf) + data_offset, data_count); - DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); - dump_data(10, data, data_count); - } + if(setup) { + DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count)); + if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) || + (smb_nt_SetupStart + setup_count < setup_count)) + goto bad_param; + if (smb_nt_SetupStart + setup_count > length) + goto bad_param; - if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { - /* We need to send an interim response then receive the rest - of the parameter/data bytes */ - outsize = set_message(outbuf,0,0,True); - if (!send_smb(smbd_server_fd(),outbuf)) - exit_server("reply_nttrans: send_smb failed."); - - while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { - BOOL ret; - - ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); - - if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) { - outsize = set_message(outbuf,0,0,True); - if(ret) { - DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n")); - } else { - DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n", - (smb_read_error == READ_ERROR) ? "error" : "timeout" )); + memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count); + dump_data(10, setup, setup_count); } - SAFE_FREE(params); - SAFE_FREE(data); - SAFE_FREE(setup); - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRSRV,ERRerror); - } + if(params) { + DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count)); + if ((parameter_offset + parameter_count < parameter_offset) || + (parameter_offset + parameter_count < parameter_count)) + goto bad_param; + if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) + goto bad_param; + + memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); + dump_data(10, params, parameter_count); + } + if(data) { + DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); + if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count)) + goto bad_param; + if (smb_base(inbuf) + data_offset + data_count > inbuf + length) + goto bad_param; + + memcpy( data, smb_base(inbuf) + data_offset, data_count); + dump_data(10, data, data_count); + } + + if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { + /* We need to send an interim response then receive the rest + of the parameter/data bytes */ + outsize = set_message(outbuf,0,0,True); + if (!send_smb(smbd_server_fd(),outbuf)) + exit_server("reply_nttrans: send_smb failed."); + + while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { + BOOL ret; + uint32 parameter_displacement; + uint32 data_displacement; + + ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); + + if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) { + outsize = set_message(outbuf,0,0,True); + if(ret) { + DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n")); + } else { + DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n", + (smb_read_error == READ_ERROR) ? "error" : "timeout" )); + } + goto bad_param; + } - /* Revise total_params and total_data in case they have changed downwards */ - total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); - total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); - num_params_sofar += (parameter_count = IVAL(inbuf,smb_nts_ParameterCount)); - num_data_sofar += ( data_count = IVAL(inbuf, smb_nts_DataCount)); - if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) - exit_server("reply_nttrans2: data overflow in secondary nttrans packet"); - - memcpy( ¶ms[ IVAL(inbuf, smb_nts_ParameterDisplacement)], - smb_base(inbuf) + IVAL(inbuf, smb_nts_ParameterOffset), parameter_count); - memcpy( &data[IVAL(inbuf, smb_nts_DataDisplacement)], - smb_base(inbuf)+ IVAL(inbuf, smb_nts_DataOffset), data_count); - } - } + /* Revise total_params and total_data in case they have changed downwards */ + if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count) + total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); + if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count) + total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); + + parameter_count = IVAL(inbuf,smb_nts_ParameterCount); + parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset); + parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement); + num_params_sofar += parameter_count; + + data_count = IVAL(inbuf, smb_nts_DataCount); + data_displacement = IVAL(inbuf, smb_nts_DataDisplacement); + data_offset = IVAL(inbuf, smb_nts_DataOffset); + num_data_sofar += data_count; + + if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) { + DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet")); + goto bad_param; + } + + if (parameter_count) { + if (parameter_displacement + parameter_count >= total_parameter_count) + goto bad_param; + if ((parameter_displacement + parameter_count < parameter_displacement) || + (parameter_displacement + parameter_count < parameter_count)) + goto bad_param; + if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) + goto bad_param; + if (params + parameter_displacement < params) + goto bad_param; + + memcpy( ¶ms[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count); + } + + if (data_count) { + if (data_displacement + data_count >= total_data_count) + goto bad_param; + if ((data_displacement + data_count < data_displacement) || + (data_displacement + data_count < data_count)) + goto bad_param; + if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) + goto bad_param; + if (data + data_displacement < data) + goto bad_param; + + memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count); + } + } + } + if (Protocol >= PROTOCOL_NT1) SSVAL(outbuf,smb_flg2,SVAL(outbuf,smb_flg2) | FLAGS2_IS_LONG_NAME); @@ -2044,11 +2096,19 @@ an error packet. */ - SAFE_FREE(setup); - SAFE_FREE(params); - SAFE_FREE(data); - END_PROFILE(SMBnttrans); - return outsize; /* If a correct response was needed the call_nt_transact_xxxx - calls have already sent it. If outsize != -1 then it is - returning an error packet. */ + SAFE_FREE(setup); + SAFE_FREE(params); + SAFE_FREE(data); + END_PROFILE(SMBnttrans); + return outsize; /* If a correct response was needed the call_nt_transact_xxxx + calls have already sent it. If outsize != -1 then it is + returning an error packet. */ + + bad_param: + + SAFE_FREE(params); + SAFE_FREE(data); + SAFE_FREE(setup); + END_PROFILE(SMBnttrans); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); } diff -urN samba-2.2.7a/source/smbd/trans2.c samba-2.2.7-ibm/source/smbd/trans2.c --- samba-2.2.7a/source/smbd/trans2.c 2002-12-05 08:08:35.000000000 +1100 +++ samba-2.2.7-ibm/source/smbd/trans2.c 2003-03-18 15:51:45.000000000 +1100 @@ -3202,7 +3202,7 @@ unsigned int suwcnt = SVAL(inbuf, smb_suwcnt); unsigned int tran_call = SVAL(inbuf, smb_setup0); char *params = NULL, *data = NULL; - int num_params, num_params_sofar, num_data, num_data_sofar; + unsigned int num_params, num_params_sofar, num_data, num_data_sofar; START_PROFILE(SMBtrans2); if(global_oplock_break && (tran_call == TRANSACT2_OPEN)) { @@ -3241,10 +3241,10 @@ (SVAL(inbuf,(smb_setup+6)) == LMFUNC_GETJOBID)) { DEBUG(2,("Got Trans2 DevIOctl jobid\n")); } else { - DEBUG(2,("Invalid smb_sucnt in trans2 call(%d)\n",suwcnt)); + DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",suwcnt)); DEBUG(2,("Transaction is %d\n",tran_call)); END_PROFILE(SMBtrans2); - return ERROR_DOS(ERRSRV,ERRerror); + ERROR_DOS(ERRDOS,ERRinvalidparam); } } @@ -3270,10 +3270,22 @@ if (num_params > total_params || num_data > total_data) exit_server("invalid params in reply_trans2"); - if(params) - memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params); - if(data) - memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data); + if(params) { + unsigned int psoff = SVAL(inbuf, smb_psoff); + if ((psoff + num_params < psoff) || (psoff + num_params < num_params)) + goto bad_param; + if (smb_base(inbuf) + psoff + num_params > inbuf + length) + goto bad_param; + memcpy( params, smb_base(inbuf) + psoff, num_params); + } + if(data) { + unsigned int dsoff = SVAL(inbuf, smb_dsoff); + if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data)) + goto bad_param; + if (smb_base(inbuf) + dsoff + num_data > inbuf + length) + goto bad_param; + memcpy( data, smb_base(inbuf) + dsoff, num_data); + } if(num_data_sofar < total_data || num_params_sofar < total_params) { /* We need to send an interim response then receive the rest @@ -3285,6 +3297,10 @@ while (num_data_sofar < total_data || num_params_sofar < total_params) { BOOL ret; + unsigned int param_disp; + unsigned int param_off; + unsigned int data_disp; + unsigned int data_off; ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); @@ -3296,25 +3312,55 @@ else DEBUG(0,("reply_trans2: %s in getting secondary trans2 response.\n", (smb_read_error == READ_ERROR) ? "error" : "timeout" )); - SAFE_FREE(params); - SAFE_FREE(data); - END_PROFILE(SMBtrans2); - return ERROR_DOS(ERRSRV,ERRerror); + goto bad_param; } /* Revise total_params and total_data in case they have changed downwards */ - total_params = SVAL(inbuf, smb_tpscnt); - total_data = SVAL(inbuf, smb_tdscnt); - num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt)); - num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt)); + if (SVAL(inbuf, smb_tpscnt) < total_params) + total_params = SVAL(inbuf, smb_tpscnt); + if (SVAL(inbuf, smb_tdscnt) < total_data) + total_data = SVAL(inbuf, smb_tdscnt); + + num_params = SVAL(inbuf,smb_spscnt); + param_off = SVAL(inbuf, smb_spsoff); + param_disp = SVAL(inbuf, smb_spsdisp); + num_params_sofar += num_params; + + num_data = SVAL(inbuf, smb_sdscnt); + data_off = SVAL(inbuf, smb_sdsoff); + data_disp = SVAL(inbuf, smb_sdsdisp); + num_data_sofar += num_data; + if (num_params_sofar > total_params || num_data_sofar > total_data) - exit_server("data overflow in trans2"); + goto bad_param; - memcpy( ¶ms[ SVAL(inbuf, smb_spsdisp)], - smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params); - memcpy( &data[SVAL(inbuf, smb_sdsdisp)], - smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data); + if (num_params) { + if (param_disp + num_params >= total_params) + goto bad_param; + if ((param_disp + num_params < param_disp) || + (param_disp + num_params < num_params)) + goto bad_param; + if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) + goto bad_param; + if (params + param_disp < params) + goto bad_param; + + memcpy( ¶ms[param_disp], smb_base(inbuf) + param_off, num_params); + } + if (num_data) { + if (data_disp + num_data >= total_data) + goto bad_param; + if ((data_disp + num_data < data_disp) || + (data_disp + num_data < num_data)) + goto bad_param; + if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) + goto bad_param; + if (data + data_disp < data) + goto bad_param; + + memcpy( &data[data_disp], smb_base(inbuf) + data_off, num_data); + } } } @@ -3427,4 +3473,11 @@ return outsize; /* If a correct response was needed the call_trans2xxx calls have already sent it. If outsize != -1 then it is returning */ + + bad_param: + + SAFE_FREE(params); + SAFE_FREE(data); + END_PROFILE(SMBtrans2); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); } diff -urN samba-2.2.7/source/include/proto.h.org samba-2.2.7/source/include/proto.h --- samba-2.2.7/source/include/proto.h.org Tue Mar 18 11:37:05 2003 +++ samba-2.2.7/source/include/proto.h Tue Mar 18 11:38:08 2003 @@ -1185,7 +1185,7 @@ SMB_BIG_UINT offset, SMB_BIG_UINT len, int timeout, enum brl_type lock_type); BOOL cli_unlock64(struct cli_state *cli, int fnum, SMB_BIG_UINT offset, SMB_BIG_UINT len); BOOL cli_getattrE(struct cli_state *cli, int fd, - uint16 *attr, size_t *size, + uint16 *attr, SMB_BIG_UINT *size, time_t *c_time, time_t *a_time, time_t *m_time); BOOL cli_getatr(struct cli_state *cli, const char *fname, uint16 *attr, size_t *size, time_t *t); @@ -1233,8 +1233,8 @@ BOOL cli_api(struct cli_state *cli, char *param, int prcnt, int mprcnt, char *data, int drcnt, int mdrcnt, - char **rparam, int *rprcnt, - char **rdata, int *rdrcnt); + char **rparam, unsigned int *rprcnt, + char **rdata, unsigned int *rdrcnt); BOOL cli_NetWkstaUserLogon(struct cli_state *cli,char *user, char *workstation); int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32, const char *, void *), void *state); BOOL cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, @@ -1284,21 +1284,21 @@ BOOL cli_send_trans(struct cli_state *cli, int trans, const char *pipe_name, int fid, int flags, - uint16 *setup, int lsetup, int msetup, - char *param, int lparam, int mparam, - char *data, int ldata, int mdata); + uint16 *setup, unsigned int lsetup, unsigned int msetup, + char *param, unsigned int lparam, unsigned int mparam, + char *data, unsigned int ldata, unsigned int mdata); BOOL cli_receive_trans(struct cli_state *cli,int trans, - char **param, int *param_len, - char **data, int *data_len); + char **param, unsigned int *param_len, + char **data, unsigned int *data_len); BOOL cli_send_nt_trans(struct cli_state *cli, int function, int flags, - uint16 *setup, int lsetup, int msetup, - char *param, int lparam, int mparam, - char *data, int ldata, int mdata); + uint16 *setup, unsigned int lsetup, unsigned int msetup, + char *param, unsigned int lparam, unsigned int mparam, + char *data, unsigned int ldata, unsigned int mdata); BOOL cli_receive_nt_trans(struct cli_state *cli, - char **param, int *param_len, - char **data, int *data_len); + char **param, unsigned int *param_len, + char **data, unsigned int *data_len); /* The following definitions come from libsmb/credentials.c */