ensure we don't change the incoming blobs in a SMB2 create
authorAndrew Tridgell <tridge@samba.org>
Wed, 28 May 2008 06:58:34 +0000 (16:58 +1000)
committerAndrew Tridgell <tridge@samba.org>
Wed, 28 May 2008 06:58:34 +0000 (16:58 +1000)
(This used to be commit a6cc89fffe8c149b540f2125cea57f31331d5460)

source4/libcli/smb2/create.c

index b976b528f1386f33f376175f6b5fbb261a39de61..bff0a1587d683fc07c80b1eeafcb25110388b583 100644 (file)
@@ -59,6 +59,7 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
                    next > remaining ||
                    name_offset < 16 ||
                    name_offset > remaining ||
                    next > remaining ||
                    name_offset < 16 ||
                    name_offset > remaining ||
+                   name_length != 4 || /* windows enforces this */
                    name_offset + name_length > remaining ||
                    data_offset < name_offset + name_length ||
                    data_offset > remaining ||
                    name_offset + name_length > remaining ||
                    data_offset < name_offset + name_length ||
                    data_offset > remaining ||
@@ -190,7 +191,10 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create
        struct smb2_request *req;
        NTSTATUS status;
        DATA_BLOB blob;
        struct smb2_request *req;
        NTSTATUS status;
        DATA_BLOB blob;
-       struct smb2_create_blobs blobs = io->in.blobs;
+       struct smb2_create_blobs blobs;
+       int i;
+
+       ZERO_STRUCT(blobs);
 
        req = smb2_request_init_tree(tree, SMB2_OP_CREATE, 0x38, true, 0);
        if (req == NULL) return NULL;
 
        req = smb2_request_init_tree(tree, SMB2_OP_CREATE, 0x38, true, 0);
        if (req == NULL) return NULL;
@@ -309,6 +313,17 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create
        }
 
        /* and any custom blobs */
        }
 
        /* and any custom blobs */
+       for (i=0;i<io->in.blobs.num_blobs;i++) {
+               status = smb2_create_blob_add(req, &blobs,
+                                             io->in.blobs.blobs[i].tag, 
+                                             io->in.blobs.blobs[i].data);
+               if (!NT_STATUS_IS_OK(status)) {
+                       talloc_free(req);
+                       return NULL;
+               }
+       }
+
+
        status = smb2_create_blob_push(req, &blob, blobs);
        if (!NT_STATUS_IS_OK(status)) {
                talloc_free(req);
        status = smb2_create_blob_push(req, &blob, blobs);
        if (!NT_STATUS_IS_OK(status)) {
                talloc_free(req);