data, data_count, max_data_count);
return (cli_receive_trans(cli, SMBtrans,
- rparam, (int *)rparam_count,
- rdata, (int *)rdata_count));
+ rparam, (unsigned int *)rparam_count,
+ rdata, (unsigned int *)rdata_count));
}
/****************************************************************************
BOOL cli_api(struct cli_state *cli,
char *param, int prcnt, int mprcnt,
char *data, int drcnt, int mdrcnt,
- char **rparam, int *rprcnt,
- char **rdata, int *rdrcnt)
+ char **rparam, unsigned int *rprcnt,
+ char **rdata, unsigned int *rdrcnt)
{
cli_send_trans(cli,SMBtrans,
PIPE_LANMAN, /* Name */
char *p = param;
unsigned char old_pw_hash[16];
unsigned char new_pw_hash[16];
- int data_len;
- int param_len = 0;
+ unsigned int data_len;
+ unsigned int param_len = 0;
char *rparam = NULL;
char *rdata = NULL;
int rprcnt, rdrcnt;
time_t *c_time, time_t *a_time, time_t *m_time,
size_t *size, uint16 *mode)
{
- int data_len = 0;
- int param_len = 0;
- int rparam_len, rdata_len;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
+ unsigned int rparam_len, rdata_len;
uint16 setup = TRANSACT2_QPATHINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
time_t *w_time, size_t *size, uint16 *mode,
SMB_INO_T *ino)
{
- int data_len = 0;
- int param_len = 0;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
uint16 setup = TRANSACT2_QPATHINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
BOOL cli_qfilename(struct cli_state *cli, int fnum,
pstring name)
{
- int data_len = 0;
- int param_len = 0;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
uint16 setup = TRANSACT2_QFILEINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
time_t *c_time, time_t *a_time, time_t *m_time,
time_t *w_time, SMB_INO_T *ino)
{
- int data_len = 0;
- int param_len = 0;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
uint16 setup = TRANSACT2_QFILEINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
****************************************************************************/
BOOL cli_qfileinfo_test(struct cli_state *cli, int fnum, int level, char *outdata)
{
- int data_len = 0;
- int param_len = 0;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
uint16 setup = TRANSACT2_QFILEINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
****************************************************************************/
NTSTATUS cli_qpathinfo_alt_name(struct cli_state *cli, const char *fname, fstring alt_name)
{
- int data_len = 0;
- int param_len = 0;
+ unsigned int data_len = 0;
+ unsigned int param_len = 0;
uint16 setup = TRANSACT2_QPATHINFO;
pstring param;
char *rparam=NULL, *rdata=NULL;
/****************************************************************************
- send a SMB trans or trans2 request
- ****************************************************************************/
+ Send a SMB trans or trans2 request.
+****************************************************************************/
+
BOOL cli_send_trans(struct cli_state *cli, int trans,
const char *pipe_name,
int fid, int flags,
- uint16 *setup, int lsetup, int msetup,
- char *param, int lparam, int mparam,
- char *data, int ldata, int mdata)
+ uint16 *setup, unsigned int lsetup, unsigned int msetup,
+ char *param, unsigned int lparam, unsigned int mparam,
+ char *data, unsigned int ldata, unsigned int mdata)
{
int i;
- int this_ldata,this_lparam;
- int tot_data=0,tot_param=0;
+ unsigned int this_ldata,this_lparam;
+ unsigned int tot_data=0,tot_param=0;
char *outdata,*outparam;
char *p;
int pipe_name_len=0;
cli_setup_bcc(cli, outdata+this_ldata);
show_msg(cli->outbuf);
- cli_send_smb(cli);
+ if (!cli_send_smb(cli))
+ return False;
if (this_ldata < ldata || this_lparam < lparam) {
/* receive interim response */
- if (!cli_receive_smb(cli) ||
- cli_is_error(cli)) {
+ if (!cli_receive_smb(cli) || cli_is_error(cli))
return(False);
- }
tot_data = this_ldata;
tot_param = this_lparam;
cli_setup_bcc(cli, outdata+this_ldata);
show_msg(cli->outbuf);
- cli_send_smb(cli);
+ if (!cli_send_smb(cli))
+ return False;
tot_data += this_ldata;
tot_param += this_lparam;
return(True);
}
-
/****************************************************************************
- receive a SMB trans or trans2 response allocating the necessary memory
- ****************************************************************************/
+ Receive a SMB trans or trans2 response allocating the necessary memory.
+****************************************************************************/
+
BOOL cli_receive_trans(struct cli_state *cli,int trans,
- char **param, int *param_len,
- char **data, int *data_len)
+ char **param, unsigned int *param_len,
+ char **data, unsigned int *data_len)
{
- int total_data=0;
- int total_param=0;
- int this_data,this_param;
+ unsigned int total_data=0;
+ unsigned int total_param=0;
+ unsigned int this_data,this_param;
NTSTATUS status;
char *tdata;
char *tparam;
*/
status = cli_nt_error(cli);
- if (NT_STATUS_IS_ERR(status)) {
+ if (NT_STATUS_IS_ERR(status))
return False;
- }
/* parse out the lengths */
total_data = SVAL(cli->inbuf,smb_tdrcnt);
*param = tparam;
}
- while (1) {
+ for (;;) {
this_data = SVAL(cli->inbuf,smb_drcnt);
this_param = SVAL(cli->inbuf,smb_prcnt);
return False;
}
- if (this_data)
- memcpy(*data + SVAL(cli->inbuf,smb_drdisp),
- smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_droff),
- this_data);
- if (this_param)
- memcpy(*param + SVAL(cli->inbuf,smb_prdisp),
- smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_proff),
- this_param);
+ if (this_data + *data_len < this_data ||
+ this_data + *data_len < *data_len ||
+ this_param + *param_len < this_param ||
+ this_param + *param_len < *param_len) {
+ DEBUG(1,("Data overflow in cli_receive_trans\n"));
+ return False;
+ }
+
+ if (this_data) {
+ unsigned int data_offset_out = SVAL(cli->inbuf,smb_drdisp);
+ unsigned int data_offset_in = SVAL(cli->inbuf,smb_droff);
+
+ if (data_offset_out > total_data ||
+ data_offset_out + this_data > total_data ||
+ data_offset_out + this_data < data_offset_out ||
+ data_offset_out + this_data < this_data) {
+ DEBUG(1,("Data overflow in cli_receive_trans\n"));
+ return False;
+ }
+ if (data_offset_in > cli->bufsize ||
+ data_offset_in + this_data > cli->bufsize ||
+ data_offset_in + this_data < data_offset_in ||
+ data_offset_in + this_data < this_data) {
+ DEBUG(1,("Data overflow in cli_receive_trans\n"));
+ return False;
+ }
+
+ memcpy(*data + data_offset_out, smb_base(cli->inbuf) + data_offset_in, this_data);
+ }
+ if (this_param) {
+ unsigned int param_offset_out = SVAL(cli->inbuf,smb_prdisp);
+ unsigned int param_offset_in = SVAL(cli->inbuf,smb_proff);
+
+ if (param_offset_out > total_param ||
+ param_offset_out + this_param > total_param ||
+ param_offset_out + this_param < param_offset_out ||
+ param_offset_out + this_param < this_param) {
+ DEBUG(1,("Param overflow in cli_receive_trans\n"));
+ return False;
+ }
+ if (param_offset_in > cli->bufsize ||
+ param_offset_in + this_param > cli->bufsize ||
+ param_offset_in + this_param < param_offset_in ||
+ param_offset_in + this_param < this_param) {
+ DEBUG(1,("Param overflow in cli_receive_trans\n"));
+ return False;
+ }
+
+ memcpy(*param + param_offset_out, smb_base(cli->inbuf) + param_offset_in, this_param);
+ }
*data_len += this_data;
*param_len += this_param;
- /* parse out the total lengths again - they can shrink! */
- total_data = SVAL(cli->inbuf,smb_tdrcnt);
- total_param = SVAL(cli->inbuf,smb_tprcnt);
-
if (total_data <= *data_len && total_param <= *param_len)
break;
if (NT_STATUS_IS_ERR(cli_nt_error(cli))) {
return(False);
}
+
+ /* parse out the total lengths again - they can shrink! */
+ if (SVAL(cli->inbuf,smb_tdrcnt) < total_data)
+ total_data = SVAL(cli->inbuf,smb_tdrcnt);
+ if (SVAL(cli->inbuf,smb_tprcnt) < total_param)
+ total_param = SVAL(cli->inbuf,smb_tprcnt);
+
+ if (total_data <= *data_len && total_param <= *param_len)
+ break;
+
}
return(True);
}
-
-
-
/****************************************************************************
- send a SMB nttrans request
- ****************************************************************************/
+ Send a SMB nttrans request.
+****************************************************************************/
+
BOOL cli_send_nt_trans(struct cli_state *cli,
int function,
int flags,
- uint16 *setup, int lsetup, int msetup,
- char *param, int lparam, int mparam,
- char *data, int ldata, int mdata)
+ uint16 *setup, unsigned int lsetup, unsigned int msetup,
+ char *param, unsigned int lparam, unsigned int mparam,
+ char *data, unsigned int ldata, unsigned int mdata)
{
- int i;
- int this_ldata,this_lparam;
- int tot_data=0,tot_param=0;
+ unsigned int i;
+ unsigned int this_ldata,this_lparam;
+ unsigned int tot_data=0,tot_param=0;
char *outdata,*outparam;
this_lparam = MIN(lparam,cli->max_xmit - (500+lsetup*2)); /* hack */
cli_setup_bcc(cli, outdata+this_ldata);
show_msg(cli->outbuf);
- cli_send_smb(cli);
+ if (!cli_send_smb(cli))
+ return False;
if (this_ldata < ldata || this_lparam < lparam) {
/* receive interim response */
- if (!cli_receive_smb(cli) ||
- cli_is_error(cli)) {
+ if (!cli_receive_smb(cli) || cli_is_error(cli))
return(False);
- }
tot_data = this_ldata;
tot_param = this_lparam;
cli_setup_bcc(cli, outdata+this_ldata);
show_msg(cli->outbuf);
- cli_send_smb(cli);
+ if (!cli_send_smb(cli))
+ return False;
tot_data += this_ldata;
tot_param += this_lparam;
/****************************************************************************
receive a SMB nttrans response allocating the necessary memory
****************************************************************************/
+
BOOL cli_receive_nt_trans(struct cli_state *cli,
- char **param, int *param_len,
- char **data, int *data_len)
+ char **param, unsigned int *param_len,
+ char **data, unsigned int *data_len)
{
- int total_data=0;
- int total_param=0;
- int this_data,this_param;
+ unsigned int total_data=0;
+ unsigned int total_param=0;
+ unsigned int this_data,this_param;
uint8 eclass;
uint32 ecode;
char *tdata;
if (this_data + *data_len > total_data ||
this_param + *param_len > total_param) {
- DEBUG(1,("Data overflow in cli_receive_trans\n"));
+ DEBUG(1,("Data overflow in cli_receive_nt_trans\n"));
+ return False;
+ }
+
+ if (this_data + *data_len < this_data ||
+ this_data + *data_len < *data_len ||
+ this_param + *param_len < this_param ||
+ this_param + *param_len < *param_len) {
+ DEBUG(1,("Data overflow in cli_receive_nt_trans\n"));
return False;
}
- if (this_data)
- memcpy(*data + SVAL(cli->inbuf,smb_ntr_DataDisplacement),
- smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_ntr_DataOffset),
- this_data);
- if (this_param)
- memcpy(*param + SVAL(cli->inbuf,smb_ntr_ParameterDisplacement),
- smb_base(cli->inbuf) + SVAL(cli->inbuf,smb_ntr_ParameterOffset),
- this_param);
+ if (this_data) {
+ unsigned int data_offset_out = SVAL(cli->inbuf,smb_ntr_DataDisplacement);
+ unsigned int data_offset_in = SVAL(cli->inbuf,smb_ntr_DataOffset);
+
+ if (data_offset_out > total_data ||
+ data_offset_out + this_data > total_data ||
+ data_offset_out + this_data < data_offset_out ||
+ data_offset_out + this_data < this_data) {
+ DEBUG(1,("Data overflow in cli_receive_nt_trans\n"));
+ return False;
+ }
+ if (data_offset_in > cli->bufsize ||
+ data_offset_in + this_data > cli->bufsize ||
+ data_offset_in + this_data < data_offset_in ||
+ data_offset_in + this_data < this_data) {
+ DEBUG(1,("Data overflow in cli_receive_nt_trans\n"));
+ return False;
+ }
+
+ memcpy(*data + data_offset_out, smb_base(cli->inbuf) + data_offset_in, this_data);
+ }
+
+ if (this_param) {
+ unsigned int param_offset_out = SVAL(cli->inbuf,smb_ntr_ParameterDisplacement);
+ unsigned int param_offset_in = SVAL(cli->inbuf,smb_ntr_ParameterOffset);
+
+ if (param_offset_out > total_param ||
+ param_offset_out + this_param > total_param ||
+ param_offset_out + this_param < param_offset_out ||
+ param_offset_out + this_param < this_param) {
+ DEBUG(1,("Param overflow in cli_receive_nt_trans\n"));
+ return False;
+ }
+ if (param_offset_in > cli->bufsize ||
+ param_offset_in + this_param > cli->bufsize ||
+ param_offset_in + this_param < param_offset_in ||
+ param_offset_in + this_param < this_param) {
+ DEBUG(1,("Param overflow in cli_receive_nt_trans\n"));
+ return False;
+ }
+
+ memcpy(*param + param_offset_out, smb_base(cli->inbuf) + param_offset_in, this_param);
+ }
+
*data_len += this_data;
*param_len += this_param;
- /* parse out the total lengths again - they can shrink! */
- total_data = SVAL(cli->inbuf,smb_ntr_TotalDataCount);
- total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount);
-
if (total_data <= *data_len && total_param <= *param_len)
break;
!(eclass == ERRDOS && ecode == ERRmoredata))
return(False);
}
+ /* parse out the total lengths again - they can shrink! */
+ if (SVAL(cli->inbuf,smb_ntr_TotalDataCount) < total_data)
+ total_data = SVAL(cli->inbuf,smb_ntr_TotalDataCount);
+ if (SVAL(cli->inbuf,smb_ntr_TotalParameterCount) < total_param)
+ total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount);
+
+ if (total_data <= *data_len && total_param <= *param_len)
+ break;
}
return(True);
git.samba.org / abartlet / samba.git / .git / commitdiff