Rework parinioa to ensure we never get passwords longer than MAX_PASS_LEN, nor

longer than the buffer they claim to be in.

Many thanks to tridge for explaining the macros.

Andrew Bartlett
(This used to be commit 3efd462bf2f1ed50c108c2b8ddecc461d002745d)

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 71ca7dda52af371baeb44ed8f2c2be17d031dc64..deab1015f5df37d1e39b283696d6f709e8055b74 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -630,14 +630,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 
        if (Protocol < PROTOCOL_NT1) {
                uint16 passlen1 = SVAL(inbuf,smb_vwv7);
-               if (passlen1 > MAX_PASS_LEN) {
-                       return ERROR_DOS(ERRDOS,ERRbuftoosmall);
-               }
-
-               if (passlen1 > smb_buflen(inbuf)) {
+               if ((passlen1 > MAX_PASS_LEN) || (passlen1 > smb_bufrem(inbuf, smb_buf(inbuf)))) {
                        return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
                }
-               
+
                if (doencrypt) {
                        lm_resp = data_blob(smb_buf(inbuf), passlen1);
                } else {
@@ -669,13 +665,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
                        }
                }
                
-               if (passlen1 > MAX_PASS_LEN) {
-                       return ERROR_DOS(ERRDOS,ERRbuftoosmall);
-               }
-
-               passlen1 = MIN(passlen1, MAX_PASS_LEN);
-               passlen2 = MIN(passlen2, MAX_PASS_LEN);
-
                if (!doencrypt) {
                        /* both Win95 and WinNT stuff up the password lengths for
                           non-encrypting systems. Uggh. 
@@ -693,17 +682,21 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
                                passlen2 = 0;
                }
                
+               /* check for nasty tricks */
+               if (passlen1 > MAX_PASS_LEN || passlen1 > smb_bufrem(inbuf, p)) {
+                       return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+               }
+
+               if (passlen2 > MAX_PASS_LEN || passlen2 > smb_bufrem(inbuf, p+passlen1)) {
+                       return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+               }
+
                /* Save the lanman2 password and the NT md4 password. */
                
                if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
                        doencrypt = False;
                }
 
-               /* check for nasty tricks */
-               if (passlen1 > smb_buflen(inbuf) || passlen2 > smb_buflen(inbuf)) {
-                       return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
-               }
-               
                if (doencrypt) {
                        lm_resp = data_blob(p, passlen1);
                        nt_resp = data_blob(p+passlen1, passlen2);