From e1afe1d1c720fefd4434bbeaa55a63536f9a80b1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Mar 2003 00:31:32 +0000 Subject: [PATCH] Found at Connectathon, .NET RC1 arranges trans/trans2/nttrans parameters differently to W2K, cope with this. Jeremy. --- source/smbd/ipc.c | 103 ++++++++---- source/smbd/nttrans.c | 434 ++++++++++++++++++++++++++++---------------------- source/smbd/trans2.c | 93 ++++++++--- 3 files changed, 394 insertions(+), 236 deletions(-) diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index e1c3e7fe4d3..8c8edcdcb35 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -368,52 +368,66 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int uint16 *setup=NULL; int outsize = 0; uint16 vuid = SVAL(inbuf,smb_uid); - int tpscnt = SVAL(inbuf,smb_vwv0); - int tdscnt = SVAL(inbuf,smb_vwv1); - int mprcnt = SVAL(inbuf,smb_vwv2); - int mdrcnt = SVAL(inbuf,smb_vwv3); - int msrcnt = CVAL(inbuf,smb_vwv4); + unsigned int tpscnt = SVAL(inbuf,smb_vwv0); + unsigned int tdscnt = SVAL(inbuf,smb_vwv1); + unsigned int mprcnt = SVAL(inbuf,smb_vwv2); + unsigned int mdrcnt = SVAL(inbuf,smb_vwv3); + unsigned int msrcnt = CVAL(inbuf,smb_vwv4); BOOL close_on_completion = BITSETW(inbuf+smb_vwv5,0); BOOL one_way = BITSETW(inbuf+smb_vwv5,1); - int pscnt = SVAL(inbuf,smb_vwv9); - int psoff = SVAL(inbuf,smb_vwv10); - int dscnt = SVAL(inbuf,smb_vwv11); - int dsoff = SVAL(inbuf,smb_vwv12); - int suwcnt = CVAL(inbuf,smb_vwv13); + unsigned int pscnt = SVAL(inbuf,smb_vwv9); + unsigned int psoff = SVAL(inbuf,smb_vwv10); + unsigned int dscnt = SVAL(inbuf,smb_vwv11); + unsigned int dsoff = SVAL(inbuf,smb_vwv12); + unsigned int suwcnt = CVAL(inbuf,smb_vwv13); START_PROFILE(SMBtrans); memset(name, '\0',sizeof(name)); fstrcpy(name,smb_buf(inbuf)); - if (dscnt > tdscnt || pscnt > tpscnt) { - exit_server("invalid trans parameters\n"); - } + if (dscnt > tdscnt || pscnt > tpscnt) + goto bad_param; if (tdscnt) { if((data = (char *)malloc(tdscnt)) == NULL) { - DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt)); + DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt)); END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) + goto bad_param; + if (smb_base(inbuf)+dsoff+dscnt > inbuf + size) + goto bad_param; + memcpy(data,smb_base(inbuf)+dsoff,dscnt); } if (tpscnt) { if((params = (char *)malloc(tpscnt)) == NULL) { - DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); + DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt)); END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) + goto bad_param; + if (smb_base(inbuf)+psoff+pscnt > inbuf + size) + goto bad_param; + memcpy(params,smb_base(inbuf)+psoff,pscnt); } if (suwcnt) { int i; if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) { - DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16)))); - END_PROFILE(SMBtrans); - return(ERROR_DOS(ERRDOS,ERRnomem)); - } + DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16)))); + END_PROFILE(SMBtrans); + return(ERROR_DOS(ERRDOS,ERRnomem)); + } + if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size) + goto bad_param; + if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size) + goto bad_param; + for (i=0;i tdscnt || pscnt > tpscnt) { - exit_server("invalid trans parameters\n"); - } + if (dscnt > tdscnt || pscnt > tpscnt) + goto bad_param; - if (pcnt) + if (pcnt) { + if (pdisp+pcnt >= tpscnt) + goto bad_param; + if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) + goto bad_param; + if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) + goto bad_param; + if (params + pdisp < params) + goto bad_param; + memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt); - if (dcnt) + } + + if (dcnt) { + if (ddisp+dcnt >= tdscnt) + goto bad_param; + if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) + goto bad_param; + if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) + goto bad_param; + if (data + ddisp < data) + goto bad_param; + memcpy(data+ddisp,smb_base(inbuf)+doff,dcnt); + } } @@ -525,4 +562,14 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int END_PROFILE(SMBtrans); return(outsize); + + + bad_param: + + DEBUG(0,("reply_trans: invalid trans parameters\n")); + SAFE_FREE(data); + SAFE_FREE(params); + SAFE_FREE(setup); + END_PROFILE(SMBtrans); + return ERROR_DOS(ERRDOS,ERRinvalidparam); } diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index 006434fb459..d975ddb1ad8 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -1838,217 +1838,275 @@ static int call_nt_transact_ioctl(connection_struct *conn, /**************************************************************************** Reply to a SMBNTtrans. ****************************************************************************/ + int reply_nttrans(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) { - int outsize = 0; + int outsize = 0; #if 0 /* Not used. */ - uint16 max_setup_count = CVAL(inbuf, smb_nt_MaxSetupCount); - uint32 max_parameter_count = IVAL(inbuf, smb_nt_MaxParameterCount); - uint32 max_data_count = IVAL(inbuf,smb_nt_MaxDataCount); + uint16 max_setup_count = CVAL(inbuf, smb_nt_MaxSetupCount); + uint32 max_parameter_count = IVAL(inbuf, smb_nt_MaxParameterCount); + uint32 max_data_count = IVAL(inbuf,smb_nt_MaxDataCount); #endif /* Not used. */ - uint32 total_parameter_count = IVAL(inbuf, smb_nt_TotalParameterCount); - uint32 total_data_count = IVAL(inbuf, smb_nt_TotalDataCount); - uint32 parameter_count = IVAL(inbuf,smb_nt_ParameterCount); - uint32 parameter_offset = IVAL(inbuf,smb_nt_ParameterOffset); - uint32 data_count = IVAL(inbuf,smb_nt_DataCount); - uint32 data_offset = IVAL(inbuf,smb_nt_DataOffset); - uint16 setup_count = 2*CVAL(inbuf,smb_nt_SetupCount); /* setup count is in *words* */ - uint16 function_code = SVAL( inbuf, smb_nt_Function); - char *params = NULL, *data = NULL, *setup = NULL; - uint32 num_params_sofar, num_data_sofar; - START_PROFILE(SMBnttrans); - - if(global_oplock_break && - ((function_code == NT_TRANSACT_CREATE) || - (function_code == NT_TRANSACT_RENAME))) { - /* - * Queue this open message as we are the process of an oplock break. - */ + uint32 total_parameter_count = IVAL(inbuf, smb_nt_TotalParameterCount); + uint32 total_data_count = IVAL(inbuf, smb_nt_TotalDataCount); + uint32 parameter_count = IVAL(inbuf,smb_nt_ParameterCount); + uint32 parameter_offset = IVAL(inbuf,smb_nt_ParameterOffset); + uint32 data_count = IVAL(inbuf,smb_nt_DataCount); + uint32 data_offset = IVAL(inbuf,smb_nt_DataOffset); + uint16 setup_count = 2*CVAL(inbuf,smb_nt_SetupCount); /* setup count is in *words* */ + uint16 function_code = SVAL( inbuf, smb_nt_Function); + char *params = NULL, *data = NULL, *setup = NULL; + uint32 num_params_sofar, num_data_sofar; + START_PROFILE(SMBnttrans); + + if(global_oplock_break && + ((function_code == NT_TRANSACT_CREATE) || + (function_code == NT_TRANSACT_RENAME))) { + /* + * Queue this open message as we are the process of an oplock break. + */ - DEBUG(2,("reply_nttrans: queueing message code 0x%x \ + DEBUG(2,("reply_nttrans: queueing message code 0x%x \ due to being in oplock break state.\n", (unsigned int)function_code )); - push_oplock_pending_smb_message( inbuf, length); - END_PROFILE(SMBnttrans); - return -1; - } + push_oplock_pending_smb_message( inbuf, length); + END_PROFILE(SMBnttrans); + return -1; + } - if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) { - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRSRV,ERRaccess); - } + if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) { + END_PROFILE(SMBnttrans); + return ERROR_DOS(ERRSRV,ERRaccess); + } - outsize = set_message(outbuf,0,0,True); + outsize = set_message(outbuf,0,0,True); - /* - * All nttrans messages we handle have smb_wct == 19 + setup_count. - * Ensure this is so as a sanity check. - */ + /* + * All nttrans messages we handle have smb_wct == 19 + setup_count. + * Ensure this is so as a sanity check. + */ - if(CVAL(inbuf, smb_wct) != 19 + (setup_count/2)) { - DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n", - CVAL(inbuf, smb_wct), 19 + (setup_count/2))); - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRSRV,ERRerror); - } + if(CVAL(inbuf, smb_wct) != 19 + (setup_count/2)) { + DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n", + CVAL(inbuf, smb_wct), 19 + (setup_count/2))); + goto bad_param; + } - /* Allocate the space for the setup, the maximum needed parameters and data */ - - if(setup_count > 0) - setup = (char *)malloc(setup_count); - if (total_parameter_count > 0) - params = (char *)malloc(total_parameter_count); - if (total_data_count > 0) - data = (char *)malloc(total_data_count); + /* Allocate the space for the setup, the maximum needed parameters and data */ + + if(setup_count > 0) + setup = (char *)malloc(setup_count); + if (total_parameter_count > 0) + params = (char *)malloc(total_parameter_count); + if (total_data_count > 0) + data = (char *)malloc(total_data_count); - if ((total_parameter_count && !params) || (total_data_count && !data) || - (setup_count && !setup)) { - safe_free(setup); - safe_free(params); - safe_free(data); - DEBUG(0,("reply_nttrans : Out of memory\n")); - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRDOS,ERRnomem); - } + if ((total_parameter_count && !params) || (total_data_count && !data) || + (setup_count && !setup)) { + SAFE_FREE(setup); + SAFE_FREE(params); + SAFE_FREE(data); + DEBUG(0,("reply_nttrans : Out of memory\n")); + END_PROFILE(SMBnttrans); + return ERROR_DOS(ERRDOS,ERRnomem); + } - /* Copy the param and data bytes sent with this request into - the params buffer */ - num_params_sofar = parameter_count; - num_data_sofar = data_count; + /* Copy the param and data bytes sent with this request into the params buffer */ + num_params_sofar = parameter_count; + num_data_sofar = data_count; - if (parameter_count > total_parameter_count || data_count > total_data_count) - exit_server("reply_nttrans: invalid sizes in packet."); + if (parameter_count > total_parameter_count || data_count > total_data_count) + goto bad_param; - if(setup) { - memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count); - DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count)); - dump_data(10, setup, setup_count); - } - if(params) { - memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); - DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count)); - dump_data(10, params, parameter_count); - } - if(data) { - memcpy( data, smb_base(inbuf) + data_offset, data_count); - DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); - dump_data(10, data, data_count); - } + if(setup) { + DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count)); + if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) || + (smb_nt_SetupStart + setup_count < setup_count)) + goto bad_param; + if (smb_nt_SetupStart + setup_count > length) + goto bad_param; - if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { - /* We need to send an interim response then receive the rest - of the parameter/data bytes */ - outsize = set_message(outbuf,0,0,True); - if (!send_smb(smbd_server_fd(),outbuf)) - exit_server("reply_nttrans: send_smb failed."); + memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count); + dump_data(10, setup, setup_count); + } + if(params) { + DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count)); + if ((parameter_offset + parameter_count < parameter_offset) || + (parameter_offset + parameter_count < parameter_count)) + goto bad_param; + if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) + goto bad_param; + + memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); + dump_data(10, params, parameter_count); + } + if(data) { + DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); + if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count)) + goto bad_param; + if (smb_base(inbuf) + data_offset + data_count > inbuf + length) + goto bad_param; + + memcpy( data, smb_base(inbuf) + data_offset, data_count); + dump_data(10, data, data_count); + } - while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { - BOOL ret; + if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { + /* We need to send an interim response then receive the rest + of the parameter/data bytes */ + outsize = set_message(outbuf,0,0,True); + if (!send_smb(smbd_server_fd(),outbuf)) + exit_server("reply_nttrans: send_smb failed."); + + while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) { + BOOL ret; + uint32 parameter_displacement; + uint32 data_displacement; + + ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); + + if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) { + outsize = set_message(outbuf,0,0,True); + if(ret) { + DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n")); + } else { + DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n", + (smb_read_error == READ_ERROR) ? "error" : "timeout" )); + } + goto bad_param; + } + + /* Revise total_params and total_data in case they have changed downwards */ + if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count) + total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); + if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count) + total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); + + parameter_count = IVAL(inbuf,smb_nts_ParameterCount); + parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset); + parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement); + num_params_sofar += parameter_count; + + data_count = IVAL(inbuf, smb_nts_DataCount); + data_displacement = IVAL(inbuf, smb_nts_DataDisplacement); + data_offset = IVAL(inbuf, smb_nts_DataDisplacement); + num_data_sofar += data_count; + + if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) { + DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet")); + goto bad_param; + } - ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); + if (parameter_count) { + if (parameter_displacement + parameter_count >= total_parameter_count) + goto bad_param; + if ((parameter_displacement + parameter_count < parameter_displacement) || + (parameter_displacement + parameter_count < parameter_count)) + goto bad_param; + if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) + goto bad_param; + if (params + parameter_displacement < params) + goto bad_param; + + memcpy( ¶ms[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count); + } - if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) { - outsize = set_message(outbuf,0,0,True); - if(ret) { - DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n")); - } else { - DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n", - (smb_read_error == READ_ERROR) ? "error" : "timeout" )); + if (data_count) { + if (data_displacement + data_count >= total_data_count) + goto bad_param; + if ((data_displacement + data_count < data_displacement) || + (data_displacement + data_count < data_count)) + goto bad_param; + if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) + goto bad_param; + if (data + data_displacement < data) + goto bad_param; + + memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count); + } + } } - SAFE_FREE(params); - SAFE_FREE(data); - SAFE_FREE(setup); - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRSRV,ERRerror); - } - - /* Revise total_params and total_data in case they have changed downwards */ - total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount); - total_data_count = IVAL(inbuf, smb_nts_TotalDataCount); - num_params_sofar += (parameter_count = IVAL(inbuf,smb_nts_ParameterCount)); - num_data_sofar += ( data_count = IVAL(inbuf, smb_nts_DataCount)); - if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) - exit_server("reply_nttrans2: data overflow in secondary nttrans packet"); - - memcpy( ¶ms[ IVAL(inbuf, smb_nts_ParameterDisplacement)], - smb_base(inbuf) + IVAL(inbuf, smb_nts_ParameterOffset), parameter_count); - memcpy( &data[IVAL(inbuf, smb_nts_DataDisplacement)], - smb_base(inbuf)+ IVAL(inbuf, smb_nts_DataOffset), data_count); - } - } - if (Protocol >= PROTOCOL_NT1) - SSVAL(outbuf,smb_flg2,SVAL(outbuf,smb_flg2) | FLAGS2_IS_LONG_NAME); - - /* Now we must call the relevant NT_TRANS function */ - switch(function_code) { - case NT_TRANSACT_CREATE: - START_PROFILE_NESTED(NT_transact_create); - outsize = call_nt_transact_create(conn, inbuf, outbuf, length, bufsize, - &setup, ¶ms, &data); - END_PROFILE_NESTED(NT_transact_create); - break; - case NT_TRANSACT_IOCTL: - START_PROFILE_NESTED(NT_transact_ioctl); - outsize = call_nt_transact_ioctl(conn, inbuf, outbuf, - length, bufsize, - &setup, setup_count, - ¶ms, parameter_count, - &data, data_count); - END_PROFILE_NESTED(NT_transact_ioctl); - break; - case NT_TRANSACT_SET_SECURITY_DESC: - START_PROFILE_NESTED(NT_transact_set_security_desc); - outsize = call_nt_transact_set_security_desc(conn, inbuf, outbuf, - length, bufsize, - &setup, ¶ms, &data); - END_PROFILE_NESTED(NT_transact_set_security_desc); - break; - case NT_TRANSACT_NOTIFY_CHANGE: - START_PROFILE_NESTED(NT_transact_notify_change); - outsize = call_nt_transact_notify_change(conn, inbuf, outbuf, - length, bufsize, - &setup, ¶ms, &data); - END_PROFILE_NESTED(NT_transact_notify_change); - break; - case NT_TRANSACT_RENAME: - START_PROFILE_NESTED(NT_transact_rename); - outsize = call_nt_transact_rename(conn, inbuf, outbuf, length, + if (Protocol >= PROTOCOL_NT1) + SSVAL(outbuf,smb_flg2,SVAL(outbuf,smb_flg2) | FLAGS2_IS_LONG_NAME); + + /* Now we must call the relevant NT_TRANS function */ + switch(function_code) { + case NT_TRANSACT_CREATE: + START_PROFILE_NESTED(NT_transact_create); + outsize = call_nt_transact_create(conn, inbuf, outbuf, length, bufsize, + &setup, ¶ms, &data); + END_PROFILE_NESTED(NT_transact_create); + break; + case NT_TRANSACT_IOCTL: + START_PROFILE_NESTED(NT_transact_ioctl); + outsize = call_nt_transact_ioctl(conn, inbuf, outbuf, + length, bufsize, + &setup, setup_count, + ¶ms, parameter_count, + &data, data_count); + END_PROFILE_NESTED(NT_transact_ioctl); + break; + case NT_TRANSACT_SET_SECURITY_DESC: + START_PROFILE_NESTED(NT_transact_set_security_desc); + outsize = call_nt_transact_set_security_desc(conn, inbuf, outbuf, + length, bufsize, + &setup, ¶ms, &data); + END_PROFILE_NESTED(NT_transact_set_security_desc); + break; + case NT_TRANSACT_NOTIFY_CHANGE: + START_PROFILE_NESTED(NT_transact_notify_change); + outsize = call_nt_transact_notify_change(conn, inbuf, outbuf, + length, bufsize, + &setup, ¶ms, &data); + END_PROFILE_NESTED(NT_transact_notify_change); + break; + case NT_TRANSACT_RENAME: + START_PROFILE_NESTED(NT_transact_rename); + outsize = call_nt_transact_rename(conn, inbuf, outbuf, length, bufsize, - &setup, ¶ms, &data); - END_PROFILE_NESTED(NT_transact_rename); - break; - - case NT_TRANSACT_QUERY_SECURITY_DESC: - START_PROFILE_NESTED(NT_transact_query_security_desc); - outsize = call_nt_transact_query_security_desc(conn, inbuf, outbuf, - length, bufsize, - &setup, ¶ms, &data); - END_PROFILE_NESTED(NT_transact_query_security_desc); - break; - default: - /* Error in request */ - DEBUG(0,("reply_nttrans: Unknown request %d in nttrans call\n", function_code)); - SAFE_FREE(setup); - SAFE_FREE(params); - SAFE_FREE(data); - END_PROFILE(SMBnttrans); - return ERROR_DOS(ERRSRV,ERRerror); - } + &setup, ¶ms, &data); + END_PROFILE_NESTED(NT_transact_rename); + break; + + case NT_TRANSACT_QUERY_SECURITY_DESC: + START_PROFILE_NESTED(NT_transact_query_security_desc); + outsize = call_nt_transact_query_security_desc(conn, inbuf, outbuf, + length, bufsize, + &setup, ¶ms, &data); + END_PROFILE_NESTED(NT_transact_query_security_desc); + break; + default: + /* Error in request */ + DEBUG(0,("reply_nttrans: Unknown request %d in nttrans call\n", function_code)); + SAFE_FREE(setup); + SAFE_FREE(params); + SAFE_FREE(data); + END_PROFILE(SMBnttrans); + return ERROR_DOS(ERRSRV,ERRerror); + } - /* As we do not know how many data packets will need to be - returned here the various call_nt_transact_xxxx calls - must send their own. Thus a call_nt_transact_xxxx routine only - returns a value other than -1 when it wants to send - an error packet. - */ - - SAFE_FREE(setup); - SAFE_FREE(params); - SAFE_FREE(data); - END_PROFILE(SMBnttrans); - return outsize; /* If a correct response was needed the call_nt_transact_xxxx - calls have already sent it. If outsize != -1 then it is - returning an error packet. */ + /* As we do not know how many data packets will need to be + returned here the various call_nt_transact_xxxx calls + must send their own. Thus a call_nt_transact_xxxx routine only + returns a value other than -1 when it wants to send + an error packet. + */ + + SAFE_FREE(setup); + SAFE_FREE(params); + SAFE_FREE(data); + END_PROFILE(SMBnttrans); + return outsize; /* If a correct response was needed the call_nt_transact_xxxx + calls have already sent it. If outsize != -1 then it is + returning an error packet. */ + + bad_param: + + SAFE_FREE(params); + SAFE_FREE(data); + SAFE_FREE(setup); + END_PROFILE(SMBnttrans); + return ERROR_DOS(ERRDOS,ERRinvalidparam); } diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index fa103318268..e581354a69d 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -3186,7 +3186,7 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in unsigned int suwcnt = SVAL(inbuf, smb_suwcnt); unsigned int tran_call = SVAL(inbuf, smb_setup0); char *params = NULL, *data = NULL; - int num_params, num_params_sofar, num_data, num_data_sofar; + unsigned int num_params, num_params_sofar, num_data, num_data_sofar; START_PROFILE(SMBtrans2); if(global_oplock_break && (tran_call == TRANSACT2_OPEN)) { @@ -3225,10 +3225,10 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in (SVAL(inbuf,(smb_setup+6)) == LMFUNC_GETJOBID)) { DEBUG(2,("Got Trans2 DevIOctl jobid\n")); } else { - DEBUG(2,("Invalid smb_sucnt in trans2 call(%d)\n",suwcnt)); + DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",suwcnt)); DEBUG(2,("Transaction is %d\n",tran_call)); END_PROFILE(SMBtrans2); - return ERROR_DOS(ERRSRV,ERRerror); + ERROR_DOS(ERRDOS,ERRinvalidparam); } } @@ -3254,10 +3254,22 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in if (num_params > total_params || num_data > total_data) exit_server("invalid params in reply_trans2"); - if(params) - memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params); - if(data) - memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data); + if(params) { + unsigned int psoff = SVAL(inbuf, smb_psoff); + if ((psoff + num_params < psoff) || (psoff + num_params < num_params)) + goto bad_param; + if (smb_base(inbuf) + psoff + num_params > inbuf + length) + goto bad_param; + memcpy( params, smb_base(inbuf) + psoff, num_params); + } + if(data) { + unsigned int dsoff = SVAL(inbuf, smb_dsoff); + if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data)) + goto bad_param; + if (smb_base(inbuf) + dsoff + num_data > inbuf + length) + goto bad_param; + memcpy( data, smb_base(inbuf) + dsoff, num_data); + } if(num_data_sofar < total_data || num_params_sofar < total_params) { /* We need to send an interim response then receive the rest @@ -3269,6 +3281,10 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in while (num_data_sofar < total_data || num_params_sofar < total_params) { BOOL ret; + unsigned int param_disp; + unsigned int param_off; + unsigned int data_disp; + unsigned int data_off; ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT); @@ -3280,25 +3296,55 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in else DEBUG(0,("reply_trans2: %s in getting secondary trans2 response.\n", (smb_read_error == READ_ERROR) ? "error" : "timeout" )); - SAFE_FREE(params); - SAFE_FREE(data); - END_PROFILE(SMBtrans2); - return ERROR_DOS(ERRSRV,ERRerror); + goto bad_param; } /* Revise total_params and total_data in case they have changed downwards */ - total_params = SVAL(inbuf, smb_tpscnt); - total_data = SVAL(inbuf, smb_tdscnt); - num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt)); - num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt)); + if (SVAL(inbuf, smb_tpscnt) < total_params) + total_params = SVAL(inbuf, smb_tpscnt); + if (SVAL(inbuf, smb_tdscnt) < total_data) + total_data = SVAL(inbuf, smb_tdscnt); + + num_params = SVAL(inbuf,smb_spscnt); + param_off = SVAL(inbuf, smb_spsoff); + param_disp = SVAL(inbuf, smb_spsdisp); + num_params_sofar += num_params; + + num_data = SVAL(inbuf, smb_sdscnt); + data_off = SVAL(inbuf, smb_sdsoff); + data_disp = SVAL(inbuf, smb_sdsdisp); + num_data_sofar += num_data; + if (num_params_sofar > total_params || num_data_sofar > total_data) - exit_server("data overflow in trans2"); + goto bad_param; - memcpy( ¶ms[ SVAL(inbuf, smb_spsdisp)], - smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params); - memcpy( &data[SVAL(inbuf, smb_sdsdisp)], - smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data); + if (num_params) { + if (param_disp + num_params >= total_params) + goto bad_param; + if ((param_disp + num_params < param_disp) || + (param_disp + num_params < num_params)) + goto bad_param; + if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) + goto bad_param; + if (params + param_disp < params) + goto bad_param; + + memcpy( ¶ms[param_disp], smb_base(inbuf) + param_off, num_params); + } + if (num_data) { + if (data_disp + num_data >= total_data) + goto bad_param; + if ((data_disp + num_data < data_disp) || + (data_disp + num_data < num_data)) + goto bad_param; + if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) + goto bad_param; + if (data + data_disp < data) + goto bad_param; + + memcpy( &data[data_disp], smb_base(inbuf) + data_off, num_data); + } } } @@ -3411,4 +3457,11 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,in return outsize; /* If a correct response was needed the call_trans2xxx calls have already sent it. If outsize != -1 then it is returning */ + + bad_param: + + SAFE_FREE(params); + SAFE_FREE(data); + END_PROFILE(SMBtrans2); + return ERROR_DOS(ERRDOS,ERRinvalidparam); } -- 2.11.4.GIT