The branch, master has been updated
via 9bc4dec s3:smb2_server: return OBJECT_NAME_INVALID if the path is
terminated in SMB2_FIND/QUERY_DIRECTORY
via 1bc93c2 s3:smb2_server: return OBJECT_NAME_INVALID if the path is
terminated in SMB2_CREATE
via 68b33aa s3:smb2_server: return BAD_NETWORK_NAME if the path is
terminated in SMB2_TCON
via 1a726b8 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_write.c
via 3643a05 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_setinfo.c
via f3a8d65 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_read.c
via c648036 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_notify.c
via a358eee s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_lock.c
via 22d479f s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_keepalive.c
via 29b3601 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_ioctl.c
via 880eafd s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_getinfo.c
via 440f702 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_flush.c
via bc95ab9 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_find.c
via 251815b s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_create.c
via e09b394 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_close.c
via 9da2f72 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_break.c
via 02f7c37 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_tcon.c
via d280d9f s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_sesssetup.c
via 7ec3a35 s3:smb2_server: use smbd_smb2_request_verify_sizes() in
smb2_negprot.c
via 6985a13 s3:smb2_server: add smbd_smb2_request_verify_sizes()
via fcd0c0e s3:torture: relax TRANS2 midmight time checking
via fce8ef6 s4:torture/basic: relax base.trans2 midmight time checking
from 674f9cc s3:smb2cli: fix marshalling of smb2_create_blobs in
smb2cli_create()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9bc4decc1cba701926fc8081c3903aac754a6f51
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in
SMB2_FIND/QUERY_DIRECTORY
metze
Autobuild-User: Stefan Metzmacher <[email protected]>
Autobuild-Date: Wed Sep 7 12:15:51 CEST 2011 on sn-devel-104
commit 1bc93c2605e14104237bb100db1d8acb1e7fe389
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in
SMB2_CREATE
metze
commit 68b33aa61ac393c2737969f8449adce3e3096d73
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return BAD_NETWORK_NAME if the path is terminated in
SMB2_TCON
metze
commit 1a726b88ec74962d0317740bbdf576ddcffb52bc
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_write.c
metze
commit 3643a05ba63ac5d8466dc8391b5d05efeedb5ac4
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_setinfo.c
metze
commit f3a8d65bdfe496f080a74eb7104500bd8e2b0179
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_read.c
metze
commit c6480366e551d1dc683c2648bd897bdc7c1b90df
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_notify.c
metze
commit a358eee2d8670d4a1675e82562fa704fa45a71e6
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_lock.c
metze
commit 22d479f75794b7c5fcac2fd47fbfd767700507d6
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c
metze
commit 29b3601c028b8861102b1d988285c78fc17f3b8e
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_ioctl.c
metze
commit 880eafd7e83ba326be7036605179e8de746f4312
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_getinfo.c
metze
commit 440f702aa9a020f8cfe13037b7af1ba0dadf86f2
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_flush.c
metze
commit bc95ab99dc84fa6d567a7d4e803552363bbc07a9
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_find.c
metze
commit 251815bfd395398857cb60c0b89710ddce7ab19f
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_create.c
metze
commit e09b3940a769806dcc17d24079375f5d53eca26a
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_close.c
metze
commit 9da2f72d471460d9c953e9cee84c9cfa3611e89e
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_break.c
metze
commit 02f7c37e671c7950619c000b73c5a09ce31c68ac
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_tcon.c
metze
commit d280d9f945be2d658694c6d4503822e99dc953b5
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c
metze
commit 7ec3a35d2a67ca93a49094f07a12b0e37cec1661
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_negprot.c
metze
commit 6985a1378bc9b548694ad7d434fd8f6a3f7b2c29
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 6 14:00:04 2011 +0200
s3:smb2_server: add smbd_smb2_request_verify_sizes()
metze
commit fcd0c0e19ea039edb968d9ddaf6c1350dca596b8
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 7 10:32:53 2011 +0200
s3:torture: relax TRANS2 midmight time checking
It's possible that the test runs on a full hour, e.g. Tue Sep 6 03:00:00
2011.
So better check that the a_time is different from the current time.
metze
commit fce8ef69d352c16a5a9781c7a3288d153da3b32b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 7 10:32:53 2011 +0200
s4:torture/basic: relax base.trans2 midmight time checking
It's possible that the test runs on a full hour, e.g. Tue Sep 6 03:00:00
2011.
So better check that the a_time is different from the current time.
metze
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/globals.h | 3 ++
source3/smbd/smb2_break.c | 16 +++-----------
source3/smbd/smb2_close.c | 15 ++-----------
source3/smbd/smb2_create.c | 23 +++++++++++----------
source3/smbd/smb2_find.c | 26 ++++++++++++------------
source3/smbd/smb2_flush.c | 16 +++-----------
source3/smbd/smb2_getinfo.c | 18 ++++------------
source3/smbd/smb2_ioctl.c | 18 ++++------------
source3/smbd/smb2_keepalive.c | 17 +++------------
source3/smbd/smb2_lock.c | 16 ++++----------
source3/smbd/smb2_negprot.c | 14 +++---------
source3/smbd/smb2_notify.c | 16 +++-----------
source3/smbd/smb2_read.c | 16 ++++----------
source3/smbd/smb2_server.c | 42 +++++++++++++++++++++++++++++++++++++++++
source3/smbd/smb2_sesssetup.c | 35 ++++++++-------------------------
source3/smbd/smb2_setinfo.c | 18 ++++------------
source3/smbd/smb2_tcon.c | 40 +++++++++++++++-----------------------
source3/smbd/smb2_write.c | 18 +++++-----------
source3/torture/torture.c | 6 +++-
source4/torture/basic/base.c | 6 +++-
20 files changed, 157 insertions(+), 222 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 6ce9835..92532c2 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -269,6 +269,9 @@ NTSTATUS smbd_smb2_request_pending_queue(struct
smbd_smb2_request *req,
struct smb_request *smbd_smb2_fake_smb_request(struct smbd_smb2_request *req);
void remove_smb2_chained_fsp(files_struct *fsp);
+NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req,
+ size_t expected_body_size);
+
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req);
NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req);
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req);
diff --git a/source3/smbd/smb2_break.c b/source3/smbd/smb2_break.c
index 5d5ab41..ce583ac 100644
--- a/source3/smbd/smb2_break.c
+++ b/source3/smbd/smb2_break.c
@@ -36,28 +36,20 @@ static NTSTATUS smbd_smb2_oplock_break_recv(struct
tevent_req *req,
static void smbd_smb2_request_oplock_break_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_break(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint8_t in_oplock_level;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_oplock_level = CVAL(inbody, 0x02);
if (in_oplock_level != SMB2_OPLOCK_LEVEL_NONE &&
diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c
index 93ce5ba..ffe08cc 100644
--- a/source3/smbd/smb2_close.c
+++ b/source3/smbd/smb2_close.c
@@ -30,30 +30,21 @@ static NTSTATUS smbd_smb2_close(struct smbd_smb2_request
*req,
NTSTATUS smbd_smb2_request_process_close(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
const uint8_t *inbody;
int i = req->current_idx;
uint8_t *outhdr;
DATA_BLOB outbody;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint16_t in_flags;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
NTSTATUS status;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
outbody = data_blob_talloc(req->out.vector, NULL, 0x3C);
if (outbody.data == NULL) {
return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 9a60fda..fad80a2 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -100,8 +100,6 @@ NTSTATUS smbd_smb2_request_process_create(struct
smbd_smb2_request *smb2req)
{
const uint8_t *inbody;
int i = smb2req->current_idx;
- size_t expected_body_size = 0x39;
- size_t body_size;
uint8_t in_oplock_level;
uint32_t in_impersonation_level;
uint32_t in_desired_access;
@@ -127,17 +125,12 @@ NTSTATUS smbd_smb2_request_process_create(struct
smbd_smb2_request *smb2req)
bool ok;
struct tevent_req *tsubreq;
- if (smb2req->in.vector[i+1].iov_len != (expected_body_size &
0xFFFFFFFE)) {
- return smbd_smb2_request_error(smb2req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(smb2req, 0x39);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(smb2req, status);
}
-
inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(smb2req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_oplock_level = CVAL(inbody, 0x03);
in_impersonation_level = IVAL(inbody, 0x04);
in_desired_access = IVAL(inbody, 0x18);
@@ -158,7 +151,7 @@ NTSTATUS smbd_smb2_request_process_create(struct
smbd_smb2_request *smb2req)
* overlap
*/
- dyn_offset = SMB2_HDR_BODY + (body_size & 0xFFFFFFFE);
+ dyn_offset = SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len;
if (in_name_offset == 0 && in_name_length == 0) {
/* This is ok */
@@ -219,6 +212,14 @@ NTSTATUS smbd_smb2_request_process_create(struct
smbd_smb2_request *smb2req)
return smbd_smb2_request_error(smb2req,
NT_STATUS_ILLEGAL_CHARACTER);
}
+ if (in_name_buffer.length == 0) {
+ in_name_string_size = 0;
+ }
+
+ if (strlen(in_name_string) != in_name_string_size) {
+ return smbd_smb2_request_error(smb2req,
NT_STATUS_OBJECT_NAME_INVALID);
+ }
+
ZERO_STRUCT(in_context_blobs);
status = smb2_create_blob_parse(smb2req, in_context_buffer,
&in_context_blobs);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 9fc8f1f..6c68810 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_find_recv(struct tevent_req *req,
static void smbd_smb2_request_find_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x21;
- size_t body_size;
uint8_t in_file_info_class;
uint8_t in_flags;
uint32_t in_file_index;
@@ -60,18 +58,12 @@ NTSTATUS smbd_smb2_request_process_find(struct
smbd_smb2_request *req)
struct tevent_req *subreq;
bool ok;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x21);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_file_info_class = CVAL(inbody, 0x02);
in_flags = CVAL(inbody, 0x03);
in_file_index = IVAL(inbody, 0x04);
@@ -84,7 +76,7 @@ NTSTATUS smbd_smb2_request_process_find(struct
smbd_smb2_request *req)
if (in_file_name_offset == 0 && in_file_name_length == 0) {
/* This is ok */
} else if (in_file_name_offset !=
- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
}
@@ -115,6 +107,14 @@ NTSTATUS smbd_smb2_request_process_find(struct
smbd_smb2_request *req)
return smbd_smb2_request_error(req,
NT_STATUS_ILLEGAL_CHARACTER);
}
+ if (in_file_name_buffer.length == 0) {
+ in_file_name_string_size = 0;
+ }
+
+ if (strlen(in_file_name_string) != in_file_name_string_size) {
+ return smbd_smb2_request_error(req,
NT_STATUS_OBJECT_NAME_INVALID);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_flush.c b/source3/smbd/smb2_flush.c
index c3f5a30..9b00eb2 100644
--- a/source3/smbd/smb2_flush.c
+++ b/source3/smbd/smb2_flush.c
@@ -33,27 +33,19 @@ static NTSTATUS smbd_smb2_flush_recv(struct tevent_req
*req);
static void smbd_smb2_request_flush_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_flush(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_file_id_persistent = BVAL(inbody, 0x08);
in_file_id_volatile = BVAL(inbody, 0x10);
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 3c8c690..61e0cfa 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -44,11 +44,9 @@ static NTSTATUS smbd_smb2_getinfo_recv(struct tevent_req
*req,
static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x29;
- size_t body_size;
uint8_t in_info_type;
uint8_t in_file_info_class;
uint32_t in_output_buffer_length;
@@ -61,18 +59,12 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct
smbd_smb2_request *req)
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x29);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_info_type = CVAL(inbody, 0x02);
in_file_info_class = CVAL(inbody, 0x03);
in_output_buffer_length = IVAL(inbody, 0x04);
@@ -87,7 +79,7 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct
smbd_smb2_request *req)
if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) {
/* This is ok */
} else if (in_input_buffer_offset !=
- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index abb1905..491c3fd 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x39;
- size_t body_size;
uint32_t in_ctl_code;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
@@ -56,18 +54,12 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct
smbd_smb2_request *req)
uint32_t in_flags;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x39);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_ctl_code = IVAL(inbody, 0x04);
in_file_id_persistent = BVAL(inbody, 0x08);
in_file_id_volatile = BVAL(inbody, 0x10);
@@ -76,7 +68,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct
smbd_smb2_request *req)
in_max_output_length = IVAL(inbody, 0x2C);
in_flags = IVAL(inbody, 0x30);
- if (in_input_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_keepalive.c b/source3/smbd/smb2_keepalive.c
index a830260..24a4f8e 100644
--- a/source3/smbd/smb2_keepalive.c
+++ b/source3/smbd/smb2_keepalive.c
@@ -25,21 +25,12 @@
NTSTATUS smbd_smb2_request_process_keepalive(struct smbd_smb2_request *req)
{
- const uint8_t *inbody;
- int i = req->current_idx;
DATA_BLOB outbody;
- size_t expected_body_size = 0x04;
- size_t body_size;
+ NTSTATUS status;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
- inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
-
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x04);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
/* TODO: update some time stamps */
diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c
index 5d615e1..ed1d688 100644
--- a/source3/smbd/smb2_lock.c
+++ b/source3/smbd/smb2_lock.c
@@ -58,8 +58,6 @@ NTSTATUS smbd_smb2_request_process_lock(struct
smbd_smb2_request *req)
const uint8_t *inhdr;
const uint8_t *inbody;
const int i = req->current_idx;
- size_t expected_body_size = 0x30;
- size_t body_size;
uint32_t in_smbpid;
uint16_t in_lock_count;
uint64_t in_file_id_persistent;
@@ -68,19 +66,15 @@ NTSTATUS smbd_smb2_request_process_lock(struct
smbd_smb2_request *req)
struct tevent_req *subreq;
const uint8_t *lock_buffer;
uint16_t l;
+ NTSTATUS status;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x30);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_smbpid = IVAL(inhdr, SMB2_HDR_PID);
in_lock_count = CVAL(inbody, 0x02);
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 56a30d0..15bff82 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -80,6 +80,7 @@ void reply_smb20ff(struct smb_request *req, uint16_t choice)
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
{
+ NTSTATUS status;
const uint8_t *inbody;
const uint8_t *indyn = NULL;
int i = req->current_idx;
@@ -88,8 +89,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct
smbd_smb2_request *req)
DATA_BLOB negprot_spnego_blob;
uint16_t security_offset;
DATA_BLOB security_buffer;
- size_t expected_body_size = 0x24;
- size_t body_size;
size_t expected_dyn_size = 0;
size_t c;
uint16_t security_mode;
@@ -104,17 +103,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct
smbd_smb2_request *req)
/* TODO: drop the connection with INVALID_PARAMETER */
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x24);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
dialect_count = SVAL(inbody, 0x02);
if (dialect_count == 0) {
return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c
index 9e377ce..a8b1eb4 100644
--- a/source3/smbd/smb2_notify.c
+++ b/source3/smbd/smb2_notify.c
@@ -47,11 +47,9 @@ static NTSTATUS smbd_smb2_notify_recv(struct tevent_req *req,
static void smbd_smb2_request_notify_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x20;
- size_t body_size;
uint16_t in_flags;
uint32_t in_output_buffer_length;
uint64_t in_file_id_persistent;
@@ -59,18 +57,12 @@ NTSTATUS smbd_smb2_request_process_notify(struct
smbd_smb2_request *req)
uint64_t in_completion_filter;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x20);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req,
NT_STATUS_INVALID_PARAMETER);
- }
-
in_flags = SVAL(inbody, 0x02);
in_output_buffer_length = IVAL(inbody, 0x04);
in_file_id_persistent = BVAL(inbody, 0x08);
diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c
index 8c3a8fd..99f6e7a 100644
--- a/source3/smbd/smb2_read.c
+++ b/source3/smbd/smb2_read.c
@@ -44,11 +44,10 @@ static NTSTATUS smbd_smb2_read_recv(struct tevent_req *req,
static void smbd_smb2_request_read_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req)
{
+ NTSTATUS status;
--
Samba Shared Repository
