int len = 4;
/* send a session request (RFC 8002) */
- strcpy(dest,desthost);
+ fstrcpy(dest,desthost);
+
p = strchr(dest,'.');
if (p) *p = 0;
outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
}
- strcpy(dev,"A:");
+ pstrcpy(dev,"A:");
if (connect_as_printer)
- strcpy(dev,"LPT1:");
+ pstrcpy(dev,"LPT1:");
if (connect_as_ipc)
- strcpy(dev,"IPC");
+ pstrcpy(dev,"IPC");
if (start_session && !cli_send_session_request(inbuf,outbuf))
{
fstring pword;
int passlen = strlen(pass)+1;
- strcpy(pword,pass);
+ fstrcpy(pword,pass);
if (doencrypt && *pass) {
DEBUG(5,("Using encrypted passwords\n"));
}
/* if in share level security then don't send a password now */
- if (!(sec_mode & 1)) {strcpy(pword, "");passlen=1;}
+ if (!(sec_mode & 1)) {fstrcpy(pword, "");passlen=1;}
/* send a session setup command */
bzero(outbuf,smb_size);
{
int passlen = strlen(pass)+1;
fstring pword;
- strcpy(pword,pass);
+ fstrcpy(pword,pass);
if (doencrypt && *pass) {
passlen=24;
/* if in user level security then don't send a password now */
if ((sec_mode & 1)) {
- strcpy(pword, ""); passlen=1;
+ fstrcpy(pword, ""); passlen=1;
}
set_message(outbuf,4,2 + strlen(service) + passlen + strlen(dev),True);
}
else
{
- strcpy(service2,service);
+ pstrcpy(service2,service);
host = strtok(service2,"\\/");
- strcpy(desthost,host);
+ pstrcpy(desthost,host);
}
DEBUG(5,("Opening sockets\n"));
#define WORDMAX 0xFFFF
+/* the maximum password length before we declare a likely attack */
+#define MAX_PASSWORD_LENGTH 200
/* separators for lists */
#define LIST_SEP " \t,;:\n\r"
int rcode;
pstring zfrom, zto;
- strcpy (zfrom, dos_to_unix (from, False));
- strcpy (zto, dos_to_unix (to, False));
+ pstrcpy (zfrom, dos_to_unix (from, False));
+ pstrcpy (zto, dos_to_unix (to, False));
rcode = rename (zfrom, zto);
if (errno == EXDEV)
****************************************************************************/
char *timestring(void )
{
- static char TimeBuf[100];
+ static fstring TimeBuf;
time_t t = time(NULL);
struct tm *tm = LocalTime(&t);
#ifdef NO_STRFTIME
- strcpy(TimeBuf, asctime(tm));
+ fstrcpy(TimeBuf, asctime(tm));
#elif defined(CLIX) || defined(CONVEX)
strftime(TimeBuf,100,"%m/%d/%y %I:%M:%S %p",tm);
#elif defined(AMPM)
if (strequal(user,last_from)) {
DEBUG(3,("Mapped user %s to %s\n",user,last_to));
- strcpy(user,last_to);
+ fstrcpy(user,last_to);
return;
}
if (ret) return(ret);
if (allow_change)
- strcpy(user,user2);
+ fstrcpy(user,user2);
return(NULL);
}
if (*fname == '/')
{
- strcpy(namecopy,fname);
+ pstrcpy(namecopy,fname);
strcpy(fname,".");
strcat(fname,namecopy);
}
pstring s1;
*p = 0;
- strcpy(s1,p+3);
+ pstrcpy(s1,p+3);
if ((p=strrchr(s,'\\')) != NULL)
*p = 0;
pstring s1;
*p = 0;
- strcpy(s1,p+3);
+ pstrcpy(s1,p+3);
if ((p=strrchr(s,'/')) != NULL)
*p = 0;
DEBUG(3,("chdir to %s\n",path));
res = sys_chdir(path);
if (!res)
- strcpy(LastDir,path);
+ pstrcpy(LastDir,path);
return(res);
}
/* remove any double slashes */
string_sub(s,"//","/");
- strcpy(basename,s);
+ pstrcpy(basename,s);
p = strrchr(basename,'/');
if (!p)
if (relative)
{
if (newname[l] == '/')
- strcpy(s,newname + l + 1);
+ pstrcpy(s,newname + l + 1);
else
- strcpy(s,newname+l);
+ pstrcpy(s,newname+l);
}
else
- strcpy(s,newname);
+ pstrcpy(s,newname);
}
ChDir(wd);
int lfill = (len+1) - strlen(Mask);
int l1= (p1 - Mask);
pstring tmp;
- strcpy(tmp,Mask);
+ pstrcpy(tmp,Mask);
memset(tmp+l1,'?',lfill);
- strcpy(tmp + l1 + lfill,Mask + l1 + 1);
- strcpy(Mask,tmp);
+ pstrcpy(tmp + l1 + lfill,Mask + l1 + 1);
+ pstrcpy(Mask,tmp);
}
}
filename_dos(Mask,filepart);
- strcpy(mbeg,filepart);
+ pstrcpy(mbeg,filepart);
if ((p1 = strchr(mbeg,'.')) != NULL)
{
hasdot = True;
*p1 = 0;
p1++;
- strcpy(mext,p1);
+ pstrcpy(mext,p1);
}
else
{
strcpy(mext,"");
if (strlen(mbeg) > 8)
{
- strcpy(mext,mbeg + 8);
+ pstrcpy(mext,mbeg + 8);
mbeg[8] = 0;
}
}
if (*mext)
expand_one(mext,3);
- strcpy(Mask,dirpart);
+ pstrcpy(Mask,dirpart);
if (*dirpart || absolute) strcat(Mask,"\\");
strcat(Mask,mbeg);
strcat(Mask,".");
char *p;
pstring mask2;
- strcpy(mask2,mask);
+ pstrcpy(mask2,mask);
if ((mode & aDIR) != 0)
size = 0;
}
else
{
- *dest = (char *)malloc(l+1);
+ (*dest) = (char *)malloc(l+1);
+ if ((*dest) == NULL) {
+ DEBUG(0,("Out of memory in string_init\n"));
+ return False;
+ }
+
strcpy(*dest,src);
}
return(True);
DEBUG(5,("mask_match str=<%s> regexp=<%s>, case_sig = %d\n", p2, p1, case_sig));
if (trans2) {
- strcpy(ebase,p1);
- strcpy(sbase,p2);
+ fstrcpy(ebase,p1);
+ fstrcpy(sbase,p2);
} else {
if ((p=strrchr(p1,'.'))) {
*p = 0;
- strcpy(ebase,p1);
- strcpy(eext,p+1);
+ fstrcpy(ebase,p1);
+ fstrcpy(eext,p+1);
} else {
- strcpy(ebase,p1);
+ fstrcpy(ebase,p1);
eext[0] = 0;
}
if (!strequal(p2,".") && !strequal(p2,"..") && (p=strrchr(p2,'.'))) {
*p = 0;
- strcpy(sbase,p2);
- strcpy(sext,p+1);
+ fstrcpy(sbase,p2);
+ fstrcpy(sext,p+1);
} else {
- strcpy(sbase,p2);
- strcpy(sext,"");
+ fstrcpy(sbase,p2);
+ fstrcpy(sext,"");
}
}
char *p = strchr(hostname,'.');
if (p) *p = 0;
- strcpy(my_name,hostname);
+ fstrcpy(my_name,hostname);
}
if (ip)
return addr_buf;
}
- strcpy(addr_buf,(char *)inet_ntoa(sockin->sin_addr));
+ fstrcpy(addr_buf,(char *)inet_ntoa(sockin->sin_addr));
global_client_addr_done = True;
return addr_buf;
{
static pstring buf;
- strcpy(buf, dname);
+ pstrcpy(buf, dname);
unix_to_dos(buf, True);
dname = buf;
}
{
return ra_type;
}
+
+
+/*******************************************************************
+safe string copy into a fstring
+********************************************************************/
+void fstrcpy(char *dest, char *src)
+{
+ int maxlength = sizeof(fstring) - 1;
+ if (!dest) {
+ DEBUG(0,("ERROR: NULL dest in fstrcpy\n"));
+ return;
+ }
+
+ if (!src) {
+ *dest = 0;
+ return;
+ }
+
+ while (maxlength-- && *src)
+ *dest++ = *src++;
+ *dest = 0;
+ if (*src) {
+ DEBUG(0,("ERROR: string overflow by %d in fstrcpy\n",
+ strlen(src)));
+ }
+}
+
+/*******************************************************************
+safe string copy into a pstring
+********************************************************************/
+void pstrcpy(char *dest, char *src)
+{
+ int maxlength = sizeof(pstring) - 1;
+ if (!dest) {
+ DEBUG(0,("ERROR: NULL dest in pstrcpy\n"));
+ return;
+ }
+
+ if (!src) {
+ *dest = 0;
+ return;
+ }
+
+ while (maxlength-- && *src)
+ *dest++ = *src++;
+ *dest = 0;
+ if (*src) {
+ DEBUG(0,("ERROR: string overflow by %d in pstrcpy\n",
+ strlen(src)));
+ }
+}
******************************************************************/
void make_nmb_name(struct nmb_name *n,char *name,int type,char *this_scope)
{
- strcpy(n->name,name);
+ fstrcpy(n->name,name);
strupper(n->name);
n->name_type = type;
- strcpy(n->scope,this_scope);
+ fstrcpy(n->scope,this_scope);
}
{
pstring shmem_file_name;
- strcpy(shmem_file_name,lp_lockdir());
+ pstrcpy(shmem_file_name,lp_lockdir());
if (!directory_exist(shmem_file_name,NULL))
mkdir(shmem_file_name,0755);
trim_string(shmem_file_name,"","/");
SSVAL(p,27,BROWSER_ELECTION_VERSION);
SSVAL(p,29,BROWSER_CONSTANT); /* browse signature */
- strcpy(p+31,server_comment);
+ pstrcpy(p+31,server_comment);
p += 31;
p = skip_string(p,1);
- debug_browse_data(outbuf, PTR_DIFF(p,outbuf));
+ debug_browse_data(outbuf, PTR_DIFF(p,outbuf));
/* send the announcement */
send_mailslot_reply(False,BROWSE_MAILSLOT,ClientDGRAM,outbuf,
if(lp_wins_support() == False || wins_subnet == 0)
return;
- strcpy(fname,lp_lockdir());
+ fstrcpy(fname,lp_lockdir());
trim_string(fname,NULL,"/");
strcat(fname,"/");
strcat(fname,WINS_LIST);
- strcpy(fnamenew,fname);
+ fstrcpy(fnamenew,fname);
strcat(fnamenew,".");
f = fopen(fnamenew,"w");
if (!d) return;
- strcpy(fname,lp_lockdir());
+ fstrcpy(fname,lp_lockdir());
trim_string(fname,NULL,"/");
strcat(fname,"/");
strcat(fname,WINS_LIST);
nb_flags_str[strlen(nb_flags_str)-1] = '\0';
/* netbios name. # divides the name from the type (hex): netbios#xx */
- strcpy(name,name_str);
+ pstrcpy(name,name_str);
p = strchr(name,'#');
dump_names();
dump_workgroups();
- strcpy(fname,lp_lockdir());
+ pstrcpy(fname,lp_lockdir());
trim_string(fname,NULL,"/");
strcat(fname,"/");
strcat(fname,SERVER_LIST);
- strcpy(fnamenew,fname);
+ pstrcpy(fnamenew,fname);
strcat(fnamenew,".");
f = fopen(fnamenew,"w");
SIVAL(p,1,criterion);
SIVAL(p,5,timeup*1000); /* ms - despite the spec */
p += 13;
- strcpy(p,name);
+ pstrcpy(p,name);
strupper(p);
p = skip_string(p,1);
token = SVAL(tmp,3);
reply_code = 0x6;
- strcpy(reply_name,myname);
+ fstrcpy(reply_name,myname);
strupper(reply_name);
add_slashes = True;
DEBUG(3,("Domain login request from %s(%s) user=%s token=%x\n",
logname = skip_string(machine,1);
token = SVAL(skip_string(logname,1),0);
- strcpy(reply_name,lp_domain_controller());
+ fstrcpy(reply_name,lp_domain_controller());
if (!*reply_name)
{
/* oo! no domain controller. must be us, then */
- strcpy(reply_name,myname);
+ fstrcpy(reply_name,myname);
reply_code = 0xC;
}
else
{
char *p;
pstring dname;
- strcpy(dname,debugf);
+ pstrcpy(dname,debugf);
if ((p=strrchr(dname,'/'))) *p=0;
strcat(dname,"/corefiles");
mkdir(dname,0700);
if (lp_loaded())
{
pstring fname;
- strcpy(fname,lp_configfile());
+ pstrcpy(fname,lp_configfile());
if (file_exist(fname,NULL) && !strcsequal(fname,servicesf))
{
- strcpy(servicesf,fname);
+ pstrcpy(servicesf,fname);
test = False;
}
}
if (strchr(flags,'M')) {
source = SELF;
- strcpy(myname,name);
+ pstrcpy(myname,name);
}
ipaddr = *interpret_addr2(ip);
pstring nbname;
if (! *myname) {
- strcpy(myname,myhostname);
+ fstrcpy(myname,myhostname);
p = strchr(myname,'.');
if (p) *p = 0;
}
/* Terminate name list */
my_netbios_names[namecount++]=NULL;
- strcpy(local_machine,myname);
+ fstrcpy(local_machine,myname);
trim_string(local_machine," "," ");
p = strchr(local_machine,' ');
if (p)
strncpy(pidFile, optarg, sizeof(pidFile));
break;
case 's':
- strcpy(servicesf,optarg);
+ pstrcpy(servicesf,optarg);
break;
case 'N':
case 'B':
DEBUG(0,("Obsolete option '%c' used\n",opt));
break;
case 'H':
- strcpy(host_file,optarg);
+ pstrcpy(host_file,optarg);
break;
case 'n':
- strcpy(myname,optarg);
+ pstrcpy(myname,optarg);
strupper(myname);
break;
case 'l':
sprintf(debugf,"%s.nmb",optarg);
break;
case 'i':
- strcpy(scope,optarg);
+ pstrcpy(scope,optarg);
strupper(scope);
break;
case 'D':
reload_services(True);
- strcpy(myworkgroup, lp_workgroup());
+ pstrcpy(myworkgroup, lp_workgroup());
if (strequal(myworkgroup,"*")) {
DEBUG(0,("ERROR: a workgroup name of * is no longer supported\n"));
SIVAL(p,0,servertype);
p += 4;
- strcpy(p, work->work_group);
+ pstrcpy(p, work->work_group);
p = skip_string(p,1);
if (cli_call_api(PTR_DIFF(p,param),0, 8,BUFFER_SIZE - SAFETY_MARGIN,
name, work->work_group, inet_ntoa(ip)));
strcpy(workgroup,work->work_group);
- strcpy(desthost,name);
+ fstrcpy(desthost,name);
dest_ip = ip;
if (zero_ip(dest_ip)) return;
{
pstring n2;
- strcpy(n2,fname);
+ pstrcpy(n2,fname);
standard_sub_basic(n2);
f->modtime = file_modtime(n2);
}
pstring n2;
time_t mod_time;
- strcpy(n2,f->name);
+ pstrcpy(n2,f->name);
standard_sub_basic(n2);
DEBUG(6,("file %s -> %s last mod_time: %s\n",
static BOOL handle_include(char *pszParmValue,char **ptr)
{
pstring fname;
- strcpy(fname,pszParmValue);
+ pstrcpy(fname,pszParmValue);
add_to_file_list(fname);
init_globals();
- strcpy(n2,pszFname);
+ pstrcpy(n2,pszFname);
standard_sub_basic(n2);
/* We get sections first, so have to start 'behind' to make up */
if (strlen(p) <= 8 && strlen(p)>strlen(name) && !has_punctuation)
{
- if (!*comment) strcpy(comment,name);
- strcpy(name,p);
+ if (!*comment) pstrcpy(comment,name);
+ pstrcpy(name,p);
continue;
}
strcat(filename,filename1);
}
else
- strcpy(filename,filename1);
+ pstrcpy(filename,filename1);
string_sub(syscmd, "%s", filename);
}
if (p)
{
strcpy(tmp,p+1);
- strcpy(tok[FILETOK],tmp);
+ fstrcpy(tok[FILETOK],tmp);
}
}
char *p = strrchr(tok[LPRNG_FILETOK],'/');
if (p)
{
- strcpy(tmp,p+1);
- strcpy(tok[LPRNG_FILETOK],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[LPRNG_FILETOK],tmp);
}
}
char *p = strrchr(tok[2],'/');
if (p)
{
- strcpy(tmp,p+1);
- strcpy(tok[2],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[2],tmp);
}
}
char *p = strrchr(tok[4],'/');
if (p)
{
- strcpy(tmp,p+1);
- strcpy(tok[4],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[4],tmp);
}
}
if ((p=strchr(tok[2],'!')))
{
string tmp;
- strcpy(tmp,p+1);
- strcpy(tok[2],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[2],tmp);
}
char *p = strrchr(tok[6],'/');
if (p)
{
- strcpy(tmp,p+1);
- strcpy(tok[6],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[6],tmp);
}
}
char *p = strrchr(tok[6],'/');
if (p)
{
- strcpy(tmp,p+1);
- strcpy(tok[6],tmp);
+ fstrcpy(tmp,p+1);
+ fstrcpy(tok[6],tmp);
}
}
/* change guest entries to the current logged in user to make
them appear deletable to windows */
if (sesssetup_user[0] && strequal(buf->user,lp_guestaccount(snum)))
- strcpy(buf->user,sesssetup_user);
+ pstrcpy(buf->user,sesssetup_user);
}
#endif
return(0);
}
- strcpy(syscmd,lpq_command);
+ pstrcpy(syscmd,lpq_command);
string_sub(syscmd,"%p",printername);
standard_sub(cnum,syscmd);
sprintf(jobstr,"%d",jobid);
- strcpy(syscmd,lprm_command);
+ pstrcpy(syscmd,lprm_command);
string_sub(syscmd,"%p",printername);
string_sub(syscmd,"%j",jobstr);
standard_sub(cnum,syscmd);
sprintf(jobstr,"%d",jobid);
- strcpy(syscmd,lpstatus_command);
+ pstrcpy(syscmd,lpstatus_command);
string_sub(syscmd,"%p",printername);
string_sub(syscmd,"%j",jobstr);
standard_sub(cnum,syscmd);
{
pstring s1,s2;
- strcpy(s1,buf);
- strcpy(s2,expected);
+ pstrcpy(s1,buf);
+ pstrcpy(s2,expected);
if (do_match(s1, s2, False))
return(True);
}
}
#if (defined(PASSWD_PROGRAM) && defined(PASSWD_CHAT))
- strcpy(passwordprogram,PASSWD_PROGRAM);
- strcpy(chatsequence,PASSWD_CHAT);
+ pstrcpy(passwordprogram,PASSWD_PROGRAM);
+ pstrcpy(chatsequence,PASSWD_CHAT);
#else
- strcpy(passwordprogram,lp_passwd_program());
- strcpy(chatsequence,lp_passwd_chat());
+ pstrcpy(passwordprogram,lp_passwd_program());
+ pstrcpy(chatsequence,lp_passwd_chat());
#endif
if (!*chatsequence) {
matched = False;
- strcpy(filename,dname);
+ pstrcpy(filename,dname);
if ((strcmp(filename,mask) == 0) ||
(name_map_mangle(filename,True,SNUM(cnum)) &&
pstring line;
BOOL local_list_only;
- strcpy(fname,lp_lockdir());
+ pstrcpy(fname,lp_lockdir());
trim_string(fname,NULL,"/");
strcat(fname,"/");
strcat(fname,SERVER_LIST);
fstring user;
fstring pass1,pass2;
- strcpy(user,p);
+ fstrcpy(user,p);
p = skip_string(p,1);
pstring comment;
uint32 servertype= lp_default_server_announce();
- strcpy(comment,lp_serverstring());
+ pstrcpy(comment,lp_serverstring());
if ((count=get_server_info(SV_TYPE_ALL,&servers,myworkgroup))>0) {
for (i=0;i<count;i++)
if (strequal(servers[i].name,local_machine))
{
servertype = servers[i].type;
- strcpy(comment,servers[i].comment);
+ pstrcpy(comment,servers[i].comment);
}
}
if (servers) free(servers);
p2 = p + usri11_end;
memset(p,0,21);
- strcpy(p+usri11_name,UserName); /* 21 bytes - user name */
+ fstrcpy(p+usri11_name,UserName); /* 21 bytes - user name */
if (uLevel > 0)
{
strcpy(p2,"UserComment");
p2 = skip_string(p2,1);
- /* EEK! the cifsrap.txt doesn't have this in!!!! */
+ /* EEK! the cifsrap.txt doesn't have this in!!!! */
SIVAL(p,usri11_full_name,PTR_DIFF(p2,p)); /* full name */
- strcpy(p2,vuser->real_name); /* simeon */
+ strcpy(p2,vuser->real_name); /* simeon */
p2 = skip_string(p2,1);
}
else
{
#if (defined(NETGROUP) && defined(AUTOMOUNT))
- strcpy(p2, vuser->home_share);
+ strcpy(p2, vuser->home_share);
#else
strcpy(p2,"\\\\%L\\%U");
#endif
struct pack_desc* desc)
{
char buf[100];
- strcpy(buf,SERVICE(snum));
+ strncpy(buf,SERVICE(snum),sizeof(buf)-1);
+ buf[sizeof(buf)-1] = 0;
strupper(buf);
if (uLevel <= 1) {
PACKS(desc,"B9",buf); /* szName */
int dsoff = SVAL(inbuf,smb_vwv12);
int suwcnt = CVAL(inbuf,smb_vwv13);
- StrnCpy(name,smb_buf(inbuf),sizeof(name)-1);
+ fstrcpy(name,smb_buf(inbuf));
+
+ if (dscnt > tdscnt || pscnt > tpscnt) {
+ exit_server("invalid trans parameters\n");
+ }
if (tdscnt)
{
pscnt += pcnt;
dscnt += dcnt;
+ if (dscnt > tdscnt || pscnt > tpscnt) {
+ exit_server("invalid trans parameters\n");
+ }
+
if (pcnt)
memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt);
if (dcnt)
}
if (check_extension && !strchr(mangled_stack[i],'.'))
{
- strcpy(tmpname,mangled_stack[i]);
+ pstrcpy(tmpname,mangled_stack[i]);
strcat(tmpname,extension);
mangle_name_83(tmpname);
if (strequal(tmpname,s))
pstring pat;
StrnCpy(pat, pattern, len); /* Get pattern into a proper string! */
- strcpy(matching_bit,""); /* Match but no star gets this. */
+ pstrcpy(matching_bit,""); /* Match but no star gets this. */
pp = pat; /* Initialise the pointers. */
sp = s;
if ((len == 1) && (*pattern == '*')) {
continue; /* Always check for the end. */
}
if (*end == '*') {
- strcpy(np, match_string);
+ pstrcpy(np, match_string);
np += strlen(match_string);
end++; /* Skip the '*' */
while ((*end) /* Not the end of string. */
}
*np++ = '\0'; /* NULL terminate it. */
DEBUG(5,("End of second in pair '%s'\n", end));
- strcpy(s, new_string); /* Substitute with the new name. */
+ pstrcpy(s, new_string); /* Substitute with the new name. */
DEBUG(5,("s is now '%s'\n", s));
}
start = end; /* Skip a bit which cannot be wanted */
/* put it in a temporary file */
sprintf(s,"%s/msg.XXXXXX",tmpdir());
- strcpy(name,(char *)mktemp(s));
+ fstrcpy(name,(char *)mktemp(s));
fd = open(name,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600);
if (fd == -1) {
/* run the command */
if (*lp_msg_command())
{
- strcpy(s,lp_msg_command());
+ pstrcpy(s,lp_msg_command());
string_sub(s,"%s",name);
string_sub(s,"%f",msgfrom);
string_sub(s,"%t",msgto);
dest = skip_string(orig,1)+1;
msg = skip_string(dest,1)+1;
- strcpy(msgfrom,orig);
- strcpy(msgto,dest);
+ fstrcpy(msgfrom,orig);
+ fstrcpy(msgto,dest);
len = SVAL(msg,0);
len = MIN(len,1600-msgpos);
orig = smb_buf(inbuf)+1;
dest = skip_string(orig,1)+1;
- strcpy(msgfrom,orig);
- strcpy(msgto,dest);
+ fstrcpy(msgfrom,orig);
+ fstrcpy(msgto,dest);
- DEBUG(3,("%s SMBsendstrt (from %s to %s)\n",timestring(),orig,dest));
+ DEBUG(3,("%s SMBsendstrt (from %s to %s)\n",timestring(),msgfrom,msgto));
return(outsize);
}
BOOL bad_path = False;
/* XXXX we need to handle passed times, sattr and flags */
- strcpy(fname,smb_buf(inbuf));
+ pstrcpy(fname,smb_buf(inbuf));
/* If the name doesn't start \PIPE\ then this is directed */
/* at a mailslot or something we really, really don't understand, */
DEBUG(4,("Opening pipe %s.\n", fname));
/* Strip \PIPE\ off the name. */
- strcpy(fname,smb_buf(inbuf) + PIPELEN);
+ pstrcpy(fname,smb_buf(inbuf) + PIPELEN);
/* See if it is one we want to handle. */
for( i = 0; known_pipes[i] ; i++ )
#define GETFNUM(buf,where) (chain_fnum!= -1?chain_fnum:SVAL(buf,where))
+/****************************************************************************
+report a possible attack via the password buffer overflow bug
+****************************************************************************/
+static void overflow_attack(int len)
+{
+ DEBUG(0,("ERROR: Invalid password length %d\n", len));
+ DEBUG(0,("you're machine may be under attack by a user exploiting an old bug\n"));
+ DEBUG(0,("Attack was from IP=%s\n", client_addr()));
+ exit_server("possible attack");
+}
+
+
/****************************************************************************
reply to an special message
****************************************************************************/
smb_setlen(outbuf,0);
switch (msg_type) {
- case 0x81: /* session request */
- CVAL(outbuf,0) = 0x82;
- CVAL(outbuf,3) = 0;
- if (name_len(inbuf+4) > 50) {
- DEBUG(0,("Invalid name length in session request\n"));
- return(0);
- }
- name_extract(inbuf,4,name1);
- name_extract(inbuf,4 + name_len(inbuf + 4),name2);
+ case 0x81: /* session request */
+ CVAL(outbuf,0) = 0x82;
+ CVAL(outbuf,3) = 0;
+ if (name_len(inbuf+4) > 50 || name_len(inbuf+4 + name_len(inbuf + 4)) > 50) {
+ DEBUG(0,("Invalid name length in session request\n"));
+ return(0);
+ }
+ name_extract(inbuf,4,name1);
+ name_extract(inbuf,4 + name_len(inbuf + 4),name2);
DEBUG(2,("netbios connect: name1=%s name2=%s\n",
name1,name2));
-
- strcpy(remote_machine,name2);
- trim_string(remote_machine," "," ");
- p = strchr(remote_machine,' ');
- strlower(remote_machine);
- if (p) *p = 0;
-
- strcpy(local_machine,name1);
- trim_string(local_machine," "," ");
- p = strchr(local_machine,' ');
- strlower(local_machine);
- if (p) *p = 0;
-
- add_session_user(remote_machine);
-
- reload_services(True);
- reopen_logs();
-
- break;
+
+ fstrcpy(remote_machine,name2);
+ trim_string(remote_machine," "," ");
+ p = strchr(remote_machine,' ');
+ strlower(remote_machine);
+ if (p) *p = 0;
+
+ fstrcpy(local_machine,name1);
+ trim_string(local_machine," "," ");
+ p = strchr(local_machine,' ');
+ strlower(local_machine);
+ if (p) *p = 0;
+
+ add_session_user(remote_machine);
+
+ reload_services(True);
+ reopen_logs();
+
+ break;
case 0x89: /* session keepalive request
(some old clients produce this?) */
p2 = strrchr(p,'\\');
if (p2 == NULL)
- strcpy(service,p);
+ fstrcpy(service,p);
else
- strcpy(service,p2+1);
+ fstrcpy(service,p2+1);
p += strlen(p) + 2;
- strcpy(password,p);
+ fstrcpy(password,p);
*pwlen = strlen(password);
p += strlen(p) + 2;
- strcpy(dev,p);
+ fstrcpy(dev,p);
*user = 0;
p = strchr(service,'%');
if (p != NULL)
{
*p = 0;
- strcpy(user,p+1);
+ fstrcpy(user,p+1);
}
}
/* we might have to close an old one */
if ((SVAL(inbuf,smb_vwv2) & 0x1) != 0)
close_cnum(SVAL(inbuf,smb_tid),vuid);
+
+ if (passlen > MAX_PASSWORD_LENGTH) {
+ overflow_attack(passlen);
+ }
{
char *path;
passlen = strlen(password);
}
- DEBUG(4,("parsing net-path %s, passlen=%d\n",path,passlen));
- strcpy(service,path+2);
+ fstrcpy(service,path+2);
p = strchr(service,'\\');
if (!p)
return(ERROR(ERRSRV,ERRinvnetname));
*p = 0;
- strcpy(service,p+1);
+ fstrcpy(service,p+1);
p = strchr(service,'%');
if (p)
{
*p++ = 0;
- strcpy(user,p);
+ fstrcpy(user,p);
}
StrnCpy(devicename,path + strlen(path) + 1,6);
DEBUG(4,("Got device type %s\n",devicename));
if (Protocol < PROTOCOL_NT1) {
smb_apasslen = SVAL(inbuf,smb_vwv7);
+ if (smb_apasslen > MAX_PASSWORD_LENGTH)
+ overflow_attack(smb_apasslen);
+
memcpy(smb_apasswd,smb_buf(inbuf),smb_apasslen);
- StrnCpy(user,smb_buf(inbuf)+smb_apasslen,sizeof(user)-1);
+ pstrcpy(user,smb_buf(inbuf)+smb_apasslen);
- if (lp_security() != SEC_SERVER && !doencrypt)
- smb_apasslen = strlen(smb_apasswd);
+ if (lp_security() != SEC_SERVER && !doencrypt) {
+ smb_apasslen = strlen(smb_apasswd);
+ }
} else {
uint16 passlen1 = SVAL(inbuf,smb_vwv7);
uint16 passlen2 = SVAL(inbuf,smb_vwv8);
if (passlen1 != 24 && passlen2 != 24)
doencrypt = False;
+ if (passlen1 > MAX_PASSWORD_LENGTH) {
+ overflow_attack(passlen1);
+ }
+
+ passlen1 = MIN(passlen1, MAX_PASSWORD_LENGTH);
+ passlen2 = MIN(passlen2, MAX_PASSWORD_LENGTH);
+
if(doencrypt) {
/* Save the lanman2 password and the NT md4 password. */
smb_apasslen = passlen1;
}
p += passlen1 + passlen2;
- strcpy(user,p); p = skip_string(p,1);
+ fstrcpy(user,p); p = skip_string(p,1);
DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s]\n",
p,skip_string(p,1),skip_string(p,2)));
}
cnum = SVAL(inbuf,smb_tid);
- strcpy(name,smb_buf(inbuf) + 1);
+ pstrcpy(name,smb_buf(inbuf) + 1);
unix_convert(name,cnum,0,&bad_path);
mode = SVAL(inbuf,smb_vwv0);
cnum = SVAL(inbuf,smb_tid);
- strcpy(fname,smb_buf(inbuf) + 1);
+ pstrcpy(fname,smb_buf(inbuf) + 1);
unix_convert(fname,cnum,0,&bad_path);
/* dos smetimes asks for a stat of "" - it returns a "hidden directory"
cnum = SVAL(inbuf,smb_tid);
- strcpy(fname,smb_buf(inbuf) + 1);
+ pstrcpy(fname,smb_buf(inbuf) + 1);
unix_convert(fname,cnum,0,&bad_path);
mode = SVAL(inbuf,smb_vwv0);
{
pstring dir2;
- strcpy(directory,smb_buf(inbuf)+1);
- strcpy(dir2,smb_buf(inbuf)+1);
+ pstrcpy(directory,smb_buf(inbuf)+1);
+ pstrcpy(dir2,smb_buf(inbuf)+1);
unix_convert(directory,cnum,0,&bad_path);
unix_format(dir2);
else
{
*p = 0;
- strcpy(mask,p+1);
+ pstrcpy(mask,p+1);
}
p = strrchr(directory,'/');
if ((p = strrchr(mask,' ')))
{
fstring ext;
- strcpy(ext,p+1);
+ fstrcpy(ext,p+1);
*p = 0;
trim_string(mask,NULL," ");
strcat(mask,".");
if (!strchr(mask,'.') && strlen(mask)>8)
{
fstring tmp;
- strcpy(tmp,&mask[8]);
+ fstrcpy(tmp,&mask[8]);
mask[8] = '.';
mask[9] = 0;
strcat(mask,tmp);
share_mode = SVAL(inbuf,smb_vwv0);
- strcpy(fname,smb_buf(inbuf)+1);
+ pstrcpy(fname,smb_buf(inbuf)+1);
unix_convert(fname,cnum,0,&bad_path);
fnum = find_free_file();
/* XXXX we need to handle passed times, sattr and flags */
- strcpy(fname,smb_buf(inbuf));
+ pstrcpy(fname,smb_buf(inbuf));
unix_convert(fname,cnum,0,&bad_path);
fnum = find_free_file();
cnum = SVAL(inbuf,smb_tid);
createmode = SVAL(inbuf,smb_vwv0);
- strcpy(fname,smb_buf(inbuf)+1);
+ pstrcpy(fname,smb_buf(inbuf)+1);
unix_convert(fname,cnum,0,&bad_path);
if (createmode & aVOLID)
cnum = SVAL(inbuf,smb_tid);
createmode = SVAL(inbuf,smb_vwv0);
- sprintf(fname,"%s/TMXXXXXX",smb_buf(inbuf)+1);
+ pstrcpy(fname,smb_buf(inbuf)+1);
+ strcat(fname,"/TMXXXXXX");
unix_convert(fname,cnum,0,&bad_path);
unixmode = unix_mode(cnum,createmode);
cnum = SVAL(inbuf,smb_tid);
dirtype = SVAL(inbuf,smb_vwv0);
- strcpy(name,smb_buf(inbuf) + 1);
+ pstrcpy(name,smb_buf(inbuf) + 1);
DEBUG(3,("reply_unlink : %s\n",name));
while ((dname = ReadDirName(dirptr)))
{
pstring fname;
- strcpy(fname,dname);
+ pstrcpy(fname,dname);
if(!mask_match(fname, mask, case_sensitive, False)) continue;
{
pstring s;
char *p;
- StrnCpy(s,smb_buf(inbuf)+1,sizeof(pstring)-1);
+ pstrcpy(s,smb_buf(inbuf)+1);
p = s;
while (*p)
{
int outsize,ret= -1;
BOOL bad_path = False;
- strcpy(directory,smb_buf(inbuf) + 1);
+ pstrcpy(directory,smb_buf(inbuf) + 1);
cnum = SVAL(inbuf,smb_tid);
unix_convert(directory,cnum,0,&bad_path);
BOOL bad_path = False;
cnum = SVAL(inbuf,smb_tid);
- strcpy(directory,smb_buf(inbuf) + 1);
+ pstrcpy(directory,smb_buf(inbuf) + 1);
unix_convert(directory,cnum,0,&bad_path);
if (check_name(directory,cnum))
errno = ENOMEM;
break;
}
- strcpy(fullname, directory);
+ pstrcpy(fullname, directory);
strcat(fullname, "/");
strcat(fullname, dname);
if (!name1 || !name2) return(False);
- strcpy(root1,name1);
- strcpy(root2,name2);
+ fstrcpy(root1,name1);
+ fstrcpy(root2,name2);
p = strrchr(root1,'.');
if (p) {
*p = 0;
- strcpy(ext1,p+1);
+ fstrcpy(ext1,p+1);
} else {
- strcpy(ext1,"");
+ fstrcpy(ext1,"");
}
p = strrchr(root2,'.');
if (p) {
*p = 0;
- strcpy(ext2,p+1);
+ fstrcpy(ext2,p+1);
} else {
- strcpy(ext2,"");
+ fstrcpy(ext2,"");
}
p = root1;
cnum = SVAL(inbuf,smb_tid);
- strcpy(name,smb_buf(inbuf) + 1);
- strcpy(newname,smb_buf(inbuf) + 3 + strlen(name));
+ pstrcpy(name,smb_buf(inbuf) + 1);
+ pstrcpy(newname,smb_buf(inbuf) + 3 + strlen(name));
DEBUG(3,("reply_mv : %s -> %s\n",name,newname));
while ((dname = ReadDirName(dirptr)))
{
pstring fname;
- strcpy(fname,dname);
+ pstrcpy(fname,dname);
if(!mask_match(fname, mask, case_sensitive, False)) continue;
error = ERRnoaccess;
sprintf(fname,"%s/%s",directory,dname);
if (!can_rename(fname,cnum)) continue;
- strcpy(destname,newname);
+ pstrcpy(destname,newname);
if (!resolve_wildcards(fname,destname)) continue;
int fnum1,fnum2;
pstring dest;
- strcpy(dest,dest1);
+ pstrcpy(dest,dest1);
if (target_is_directory) {
char *p = strrchr(src,'/');
if (p)
cnum = SVAL(inbuf,smb_tid);
- strcpy(name,smb_buf(inbuf));
- strcpy(newname,smb_buf(inbuf) + 1 + strlen(name));
+ pstrcpy(name,smb_buf(inbuf));
+ pstrcpy(newname,smb_buf(inbuf) + 1 + strlen(name));
DEBUG(3,("reply_copy : %s -> %s\n",name,newname));
while ((dname = ReadDirName(dirptr)))
{
pstring fname;
- strcpy(fname,dname);
+ pstrcpy(fname,dname);
if(!mask_match(fname, mask, case_sensitive, False)) continue;
if (!CAN_SETDIR(snum))
return(ERROR(ERRDOS,ERRnoaccess));
- strcpy(newdir,smb_buf(inbuf) + 1);
+ pstrcpy(newdir,smb_buf(inbuf) + 1);
strlower(newdir);
if (strlen(newdir) == 0)
(strequal(dname,".") || strequal(dname,"..")))
continue;
- strcpy(name2,dname);
+ pstrcpy(name2,dname);
if (!name_map_mangle(name2,False,SNUM(cnum))) continue;
if ((mangled && mangled_equal(name,name2))
/* remember the rest of the pathname so it can be restored
later */
- if (end) strcpy(rest,end+1);
+ if (end) pstrcpy(rest,end+1);
/* try to find this part of the path in the directory */
if (strchr(start,'?') || strchr(start,'*') ||
Files[fnum].fd_ptr = 0;
errno = EPERM;
- strcpy(fname,fname1);
+ pstrcpy(fname,fname1);
/* check permissions */
if ((flags != O_RDONLY) && !CAN_WRITE(cnum) && !Connections[cnum].printer)
pstring dname;
int dum1,dum2,dum3;
char *p;
- strcpy(dname,fname);
+ pstrcpy(dname,fname);
p = strrchr(dname,'/');
if (p) *p = 0;
if (sys_disk_free(dname,&dum1,&dum2,&dum3) <
int ret;
pstring magic_output;
pstring fname;
- strcpy(fname,Files[fnum].name);
+ pstrcpy(fname,Files[fnum].name);
if (*lp_magicoutput(SNUM(cnum)))
- strcpy(magic_output,lp_magicoutput(SNUM(cnum)));
+ pstrcpy(magic_output,lp_magicoutput(SNUM(cnum)));
else
sprintf(magic_output,"%s.out",fname);
if (lp_loaded())
{
pstring fname;
- strcpy(fname,lp_configfile());
+ pstrcpy(fname,lp_configfile());
if (file_exist(fname,NULL) && !strcsequal(fname,servicesf))
{
- strcpy(servicesf,fname);
+ pstrcpy(servicesf,fname);
test = False;
}
}
{
struct passwd *pass2;
fstring fuser;
- strcpy(fuser,lp_force_user(snum));
+ fstrcpy(fuser,lp_force_user(snum));
pass2 = (struct passwd *)Get_Pwnam(fuser,True);
if (pass2)
{
pcon->uid = pass2->pw_uid;
string_set(&pcon->user,fuser);
- strcpy(user,fuser);
+ fstrcpy(user,fuser);
pcon->force_user = True;
DEBUG(3,("Forced user %s\n",fuser));
}
{
pstring s;
- strcpy(s,lp_pathname(snum));
+ pstrcpy(s,lp_pathname(snum));
standard_sub(cnum,s);
string_set(&pcon->connectpath,s);
DEBUG(3,("Connect path is %s\n",s));
if (*lp_rootpreexec(SNUM(cnum)))
{
pstring cmd;
- strcpy(cmd,lp_rootpreexec(SNUM(cnum)));
+ pstrcpy(cmd,lp_rootpreexec(SNUM(cnum)));
standard_sub(cnum,cmd);
DEBUG(5,("cmd=%s\n",cmd));
smbrun(cmd,NULL,False);
/* resolve any soft links early */
{
pstring s;
- strcpy(s,pcon->connectpath);
+ pstrcpy(s,pcon->connectpath);
GetWd(s);
string_set(&pcon->connectpath,s);
ChDir(pcon->connectpath);
if (*lp_preexec(SNUM(cnum)))
{
pstring cmd;
- strcpy(cmd,lp_preexec(SNUM(cnum)));
+ pstrcpy(cmd,lp_preexec(SNUM(cnum)));
standard_sub(cnum,cmd);
smbrun(cmd,NULL,False);
}
SSVAL(outbuf,smb_vwv0,choice);
if(choice != -1) {
extern fstring remote_proto;
- strcpy(remote_proto,supported_protocols[protocol].short_name);
+ fstrcpy(remote_proto,supported_protocols[protocol].short_name);
reload_services(True);
outsize = supported_protocols[protocol].proto_reply_fn(outbuf);
DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
bzero(&crec,sizeof(crec));
- strcpy(fname,lp_lockdir());
+ pstrcpy(fname,lp_lockdir());
standard_sub(cnum,fname);
trim_string(fname,"","/");
DEBUG(5,("trying claim %s %s %d\n",lp_lockdir(),name,max_connections));
- strcpy(fname,lp_lockdir());
+ pstrcpy(fname,lp_lockdir());
standard_sub(cnum,fname);
trim_string(fname,"","/");
{
char *p;
pstring dname;
- strcpy(dname,debugf);
+ pstrcpy(dname,debugf);
if ((p=strrchr(dname,'/'))) *p=0;
strcat(dname,"/corefiles");
mkdir(dname,0700);
if(p[1] == '\0')
strcpy(mask,"*.*");
else
- strcpy(mask, p+1);
+ pstrcpy(mask, p+1);
}
else
- strcpy(mask, path_mask);
+ pstrcpy(mask, path_mask);
while (!found)
{
matched = False;
- strcpy(fname,dname);
+ pstrcpy(fname,dname);
if(mask_match(fname, mask, case_sensitive, True))
{
if (isrootdir && isdots)
continue;
- strcpy(pathreal,Connections[cnum].dirpath);
+ pstrcpy(pathreal,Connections[cnum].dirpath);
if(needslash)
strcat(pathreal,"/");
strcat(pathreal,dname);
return(ERROR(ERRDOS,ERRunknownlevel));
}
- strcpy(directory, params + 12); /* Complete directory path with
+ pstrcpy(directory, params + 12); /* Complete directory path with
wildcard mask appended */
DEBUG(5,("path=%s\n",directory));
/* qpathinfo */
info_level = SVAL(params,0);
fname = &fname1[0];
- strcpy(fname,¶ms[6]);
+ pstrcpy(fname,¶ms[6]);
unix_convert(fname,cnum,0,&bad_path);
if (!check_name(fname,cnum) || sys_stat(fname,&sbuf)) {
DEBUG(3,("fileinfo of %s failed (%s)\n",fname,strerror(errno)));
case SMB_QUERY_FILE_ALT_NAME_INFO:
data_size = 4 + l;
SIVAL(pdata,0,l);
- strcpy(pdata+4,fname);
+ pstrcpy(pdata+4,fname);
break;
case SMB_QUERY_FILE_ALLOCATION_INFO:
case SMB_QUERY_FILE_END_OF_FILEINFO:
pdata += 4;
pdata += 4; /* alignment */
SIVAL(pdata,0,l);
- strcpy(pdata+4,fname);
+ pstrcpy(pdata+4,fname);
pdata += 4 + l;
data_size = PTR_DIFF(pdata,(*ppdata));
break;
SIVAL(pdata,4,size);
SIVAL(pdata,12,size);
SIVAL(pdata,20,l);
- strcpy(pdata+24,fname);
+ pstrcpy(pdata+24,fname);
break;
default:
return(ERROR(ERRDOS,ERRunknownlevel));
/* set path info */
info_level = SVAL(params,0);
fname = fname1;
- strcpy(fname,¶ms[6]);
+ pstrcpy(fname,¶ms[6]);
unix_convert(fname,cnum,0,&bad_path);
if(!check_name(fname, cnum))
{
if (!CAN_WRITE(cnum))
return(ERROR(ERRSRV,ERRaccess));
- strcpy(directory, ¶ms[4]);
+ pstrcpy(directory, ¶ms[4]);
DEBUG(3,("call_trans2mkdir : name = %s\n", directory));
num_params = num_params_sofar = SVAL(inbuf,smb_pscnt);
num_data = num_data_sofar = SVAL(inbuf, smb_dscnt);
+ if (num_params > total_params || num_data > total_data)
+ exit_server("invalid params in reply_trans2");
+
memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params);
memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data);
total_data = SVAL(inbuf, smb_tdscnt);
num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt));
num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt));
+ if (num_params_sofar > total_params || num_data_sofar > total_data)
+ exit_server("data overflow in trans2");
+
memcpy( ¶ms[ SVAL(inbuf, smb_spsdisp)],
smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params);
memcpy( &data[SVAL(inbuf, smb_sdsdisp)],
setutent();
- strcpy(u.ut_line, VT_Line);
+ fstrcpy(u.ut_line, VT_Line);
if((v = getutline(&u)) == NULL) {
if(strncmp(VT_Line, "tty", 3) == 0)
else
tt = VT_Line;
- strcpy(u.ut_id, tt);
+ fstrcpy(u.ut_id, tt);
u.ut_time = time((time_t*)0);
}
- strcpy(u.ut_user, "LOGIN");
- strcpy(u.ut_line, VT_Line);
+ fstrcpy(u.ut_user, "LOGIN");
+ fstrcpy(u.ut_line, VT_Line);
u.ut_pid = getpid();
u.ut_type = LOGIN_PROCESS;
pututline(&u);
if(VT_Line != NULL) {
setutent();
- strcpy(u.ut_line, VT_Line);
+ fstrcpy(u.ut_line, VT_Line);
if((v = getutline(&u)) != NULL) {
- strcpy(v->ut_user, "");
+ fstrcpy(v->ut_user, "");
v->ut_type = DEAD_PROCESS;
v->ut_time = time((time_t*)0);
pututline(v);
got_bcast = True;
break;
case 'i':
- strcpy(scope,optarg);
+ fstrcpy(scope,optarg);
strupper(scope);
break;
case 'M':
DEBUGLEVEL = atoi(optarg);
break;
case 's':
- strcpy(servicesf, optarg);
+ pstrcpy(servicesf, optarg);
break;
case 'h':
usage();
char *p;
struct in_addr ip;
- strcpy(lookup,argv[i]);
+ fstrcpy(lookup,argv[i]);
if (find_master) {
if (*lookup == '-') {