The branch, master has been updated
via f80c97cb8da libsmb: Protect cli_oem_change_password() from rprcnt<2
via ce8b70df7bd libsmb: Protect cli_RNetServerEnum against rprcnt<6
via 4a9fe4efefa libsmb: Protect cli_RNetShareEnum() against rprcnt<6
via ae91d67a247 libsmb: Fix indentation in cli_RNetShareEnum()
from 1be128eeedf smbd: Make share_mode_for_one_entry() use just a uint8*
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f80c97cb8da64f3cd9904e2e1fd43c29b691166d
Author: Volker Lendecke <[email protected]>
Date: Sat May 2 15:18:07 2020 +0200
libsmb: Protect cli_oem_change_password() from rprcnt<2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Tue May 5 17:12:04 UTC 2020 on sn-devel-184
commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b
Author: Volker Lendecke <[email protected]>
Date: Sat May 2 15:10:14 2020 +0200
libsmb: Protect cli_RNetServerEnum against rprcnt<6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 4a9fe4efefa67d6f24efcbe29722a43fc4859fdc
Author: Volker Lendecke <[email protected]>
Date: Sat May 2 14:59:07 2020 +0200
libsmb: Protect cli_RNetShareEnum() against rprcnt<6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit ae91d67a247424d4ddc89230f52365558d6ff402
Author: Volker Lendecke <[email protected]>
Date: Sat May 2 14:54:01 2020 +0200
libsmb: Fix indentation in cli_RNetShareEnum()
Also remove a level of indentation with a "goto done;"
Best review with "git show -b", almost no code change
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14362
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/clirap.c | 151 ++++++++++++++++++++++++++++--------------------
1 file changed, 87 insertions(+), 64 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 7896a121fbf..e1f9cea4388 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -107,6 +107,8 @@ int cli_RNetShareEnum(struct cli_state *cli, void
(*fn)(const char *, uint32_t,
unsigned int rdrcnt,rprcnt;
char param[1024];
int count = -1;
+ bool ok;
+ int res;
/* now send a SMBtrans command with api RNetShareEnum */
p = param;
@@ -124,74 +126,82 @@ int cli_RNetShareEnum(struct cli_state *cli, void
(*fn)(const char *, uint32_t,
SSVAL(p,2,0xFFE0);
p += 4;
- if (cli_api(cli,
- param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
- NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k
needs a small buffer here too ! */
- &rparam, &rprcnt, /* return params, length */
- &rdata, &rdrcnt)) /* return data, length */
- {
- int res = rparam? SVAL(rparam,0) : -1;
-
- if (res == 0 || res == ERRmoredata) {
- int converter=SVAL(rparam,2);
- int i;
- char *rdata_end = rdata + rdrcnt;
-
- count=SVAL(rparam,4);
- p = rdata;
-
- for (i=0;i<count;i++,p+=20) {
- char *sname;
- int type;
- int comment_offset;
- const char *cmnt;
- const char *p1;
- char *s1, *s2;
- size_t len;
- TALLOC_CTX *frame = talloc_stackframe();
-
- if (p + 20 > rdata_end) {
- TALLOC_FREE(frame);
- break;
- }
-
- sname = p;
- type = SVAL(p,14);
- comment_offset = (IVAL(p,16) & 0xFFFF)
- converter;
- if (comment_offset < 0 ||
- comment_offset >
(int)rdrcnt) {
- TALLOC_FREE(frame);
- break;
- }
- cmnt =
comment_offset?(rdata+comment_offset):"";
-
- /* Work out the comment length. */
- for (p1 = cmnt, len = 0; *p1 &&
- p1 < rdata_end; len++)
- p1++;
- if (!*p1) {
- len++;
- }
- pull_string_talloc(frame,rdata,0,
- &s1,sname,14,STR_ASCII);
- pull_string_talloc(frame,rdata,0,
- &s2,cmnt,len,STR_ASCII);
- if (!s1 || !s2) {
- TALLOC_FREE(frame);
- continue;
- }
-
- fn(s1, type, s2, state);
+ ok = cli_api(
+ cli,
+ param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
+ NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k
needs a small buffer here too ! */
+ &rparam, &rprcnt, /* return params, length */
+ &rdata, &rdrcnt); /* return data, length */
+ if (!ok) {
+ DEBUG(4,("NetShareEnum failed\n"));
+ goto done;
+ }
- TALLOC_FREE(frame);
- }
- } else {
- DEBUG(4,("NetShareEnum res=%d\n", res));
+ if (rprcnt < 6) {
+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+ goto done;
+ }
+
+ res = rparam? SVAL(rparam,0) : -1;
+
+ if (res == 0 || res == ERRmoredata) {
+ int converter=SVAL(rparam,2);
+ int i;
+ char *rdata_end = rdata + rdrcnt;
+
+ count=SVAL(rparam,4);
+ p = rdata;
+
+ for (i=0;i<count;i++,p+=20) {
+ char *sname;
+ int type;
+ int comment_offset;
+ const char *cmnt;
+ const char *p1;
+ char *s1, *s2;
+ size_t len;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (p + 20 > rdata_end) {
+ TALLOC_FREE(frame);
+ break;
}
- } else {
- DEBUG(4,("NetShareEnum failed\n"));
+
+ sname = p;
+ type = SVAL(p,14);
+ comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
+ if (comment_offset < 0 ||
+ comment_offset > (int)rdrcnt) {
+ TALLOC_FREE(frame);
+ break;
+ }
+ cmnt = comment_offset?(rdata+comment_offset):"";
+
+ /* Work out the comment length. */
+ for (p1 = cmnt, len = 0; *p1 &&
+ p1 < rdata_end; len++)
+ p1++;
+ if (!*p1) {
+ len++;
+ }
+ pull_string_talloc(frame,rdata,0,
+ &s1,sname,14,STR_ASCII);
+ pull_string_talloc(frame,rdata,0,
+ &s2,cmnt,len,STR_ASCII);
+ if (!s1 || !s2) {
+ TALLOC_FREE(frame);
+ continue;
+ }
+
+ fn(s1, type, s2, state);
+
+ TALLOC_FREE(frame);
}
+ } else {
+ DEBUG(4,("NetShareEnum res=%d\n", res));
+ }
+done:
SAFE_FREE(rparam);
SAFE_FREE(rdata);
@@ -295,6 +305,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char
*workgroup, uint32_t stype,
}
rdata_end = rdata + rdrcnt;
+
+ if (rprcnt < 6) {
+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+ res = -1;
+ break;
+ }
+
res = rparam ? SVAL(rparam,0) : -1;
if (res == 0 || res == ERRmoredata ||
@@ -518,10 +535,16 @@ bool cli_oem_change_password(struct cli_state *cli, const
char *user, const char
return False;
}
+ if (rdrcnt < 2) {
+ cli->rap_error = ERRbadformat;
+ goto done;
+ }
+
if (rparam) {
cli->rap_error = SVAL(rparam,0);
}
+done:
SAFE_FREE(rparam);
SAFE_FREE(rdata);
--
Samba Shared Repository
