From f781c9c693462b89b60a3662d2a1224c9387a725 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 10 Feb 2012 08:10:39 +0100 Subject: [PATCH 1/2] v3-3: AndX offsets are increasing strictly monotonically --- source/smbd/process.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/source/smbd/process.c b/source/smbd/process.c index e861e16..f64e1ce 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1160,7 +1160,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) static char *orig_inbuf; static char *orig_outbuf; int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0); - unsigned smb_off2 = SVAL(inbuf,smb_vwv1); + static unsigned smb_off2; char *inbuf2, *outbuf2; int outsize2; int new_size; @@ -1178,8 +1178,16 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) /* this is the first part of the chain */ orig_inbuf = inbuf; orig_outbuf = outbuf; + smb_off2 = 0; } + if (SVAL(inbuf,smb_vwv1) <= smb_off2) { + DEBUG(1, ("AndX offset not increasing\n")); + SCVAL(outbuf, smb_vwv0, 0xFF); + return outsize; + } + smb_off2 = SVAL(inbuf, smb_vwv1); + /* * The original Win95 redirector dies on a reply to * a lockingX and read chain unless the chain reply is -- 1.7.3.4 From 009bb0be7383777a650a3bc6af1c0d3ab7476ebc Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 10 Feb 2012 08:39:33 +0100 Subject: [PATCH 2/2] v3-0-test: Port back some packet consistency checks --- source/smbd/process.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) diff --git a/source/smbd/process.c b/source/smbd/process.c index f64e1ce..8aabef8 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1025,6 +1025,7 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize) int outsize = 0; int msg_type = CVAL(inbuf,0); uint16_t mid = SVAL(inbuf, smb_mid); + uint8_t wct = CVAL(inbuf, smb_wct); chain_size = 0; file_chain_reset(); @@ -1033,6 +1034,23 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize) if (msg_type != 0) return(reply_special(inbuf,outbuf)); + /* Ensure we have at least wct words and 2 bytes of bcc. */ + if (smb_size + wct*2 > size) { + DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n", + (unsigned int)wct, + (unsigned int)size)); + exit_server_cleanly("Invalid SMB request"); + } + /* Ensure bcc is correct. */ + if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + size) { + DEBUG(0,("init_smb_request: invalid bcc number %u " + "(wct = %u, size %u)\n", + (unsigned int)smb_buflen(inbuf), + (unsigned int)wct, + (unsigned int)size)); + exit_server_cleanly("Invalid SMB request"); + } + construct_reply_common(inbuf, outbuf); outsize = switch_message(type,inbuf,outbuf,size,bufsize); -- 1.7.3.4