Index: nmbd/nmbd_packets.c =================================================================== RCS file: /work/cvs/tng/source/nmbd/nmbd_packets.c,v retrieving revision 1.17 diff -u -p -r1.17 nmbd_packets.c --- nmbd/nmbd_packets.c 24 Nov 2007 20:45:55 -0000 1.17 +++ nmbd/nmbd_packets.c 2 Dec 2007 22:13:49 -0000 @@ -1916,7 +1916,8 @@ BOOL listen_for_packets(BOOL run_electio /**************************************************************************** Construct and send a netbios DGRAM. **************************************************************************/ -BOOL send_mailslot(BOOL unique, char *mailslot,char *buf,int len, +BOOL send_mailslot(BOOL unique, const char *mailslot, + const char *buf, size_t len, char *srcname, int src_type, char *dstname, int dest_type, struct in_addr dest_ip,struct in_addr src_ip, @@ -1969,7 +1970,12 @@ BOOL send_mailslot(BOOL unique, char *ma pstrcpy(p2,mailslot); p2 = skip_string(p2,1); - memcpy(p2,buf,len); + if (len > (MAX_DGRAM_SIZE - PTR_DIFF(p2, dgram->data))) + { + DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__)); + return False; + } + memcpy(p2, buf, len); p2 += len; dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */ Index: nmbd/nmbd_processlogon.c =================================================================== RCS file: /work/cvs/tng/source/nmbd/nmbd_processlogon.c,v retrieving revision 1.12 diff -u -p -r1.12 nmbd_processlogon.c --- nmbd/nmbd_processlogon.c 8 Feb 2005 10:52:37 -0000 1.12 +++ nmbd/nmbd_processlogon.c 2 Dec 2007 22:18:05 -0000 @@ -28,9 +28,15 @@ #include "includes.h" #include "libsamba.h" #include "byteorder.h" +#include "tng_misc.h" #include "nmbd.h" +#define SIZE_NOSPACELEFT(buffer, buffersize, pointer, needed) \ + (((const char *) (pointer)) \ + >= (((const char *) (buffer)) + buffersize - needed)) + + /**************************************************************************** Send a message to smbd to do a sam delta sync **************************************************************************/ @@ -46,8 +52,8 @@ static void send_repl_message(uint32 low Process a domain logon packet **************************************************************************/ -void process_logon_packet(struct packet_struct *p,char *buf,int len, - char *mailslot) +void process_logon_packet(struct packet_struct *p, char *buf, size_t len, + const char *mailslot) { struct dgram_packet *dgram = &p->packet.dgram; pstring my_name; @@ -94,8 +100,6 @@ logons are not enabled.\n", inet_ntoa(p- q = skip_string(getdc,1); token = SVAL(q,3); - fstrcpy(reply_name,my_name); - DEBUG(3,("process_logon_packet: Domain login request from %s at IP %s user=%s token=%x\n", machine,inet_ntoa(p->ip),user,token)); @@ -105,7 +109,8 @@ logons are not enabled.\n", inet_ntoa(p- fstrcpy(reply_name, "\\\\"); fstrcat(reply_name, my_name); - fstrcpy(q, reply_name); q = skip_string(q, 1); /* PDC name */ + q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf)) + + 1; SSVAL(q, 0, token); q += 2; @@ -154,7 +159,7 @@ logons are not enabled.\n", inet_ntoa(p- get additional data - a length specificed string containing the domain name, then 16 bytes of data (no idea what it is) */ - int dom_len = CVAL(q, 0); + int dom_len = CVALCONST(q, 0); q++; if (dom_len != 0) { q += dom_len + 1; @@ -172,17 +177,21 @@ logons are not enabled.\n", inet_ntoa(p- q += 2; fstrcpy(reply_name,my_name); - fstrcpy(q, reply_name); - q = skip_string(q, 1); /* PDC name */ + q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf)) + + 1; /* PDC and domain name */ if (!short_request) /* Make a full reply */ { q = ALIGN2(q, outbuf); - q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */ - q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True); /* Domain name*/ + q += dos_PutUniCode(q, my_name, + sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* PDC name */ + q += dos_PutUniCode(q, global_myworkgroup, + sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* Domain name*/ + if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8)) + return; SIVAL(q, 0, 1); /* our nt version */ SSVAL(q, 4, 0xffff); /* our lmnttoken */ SSVAL(q, 6, 0xffff); /* our lm20token */ @@ -236,11 +245,11 @@ reporting %s domain %s 0x%x ntversion=%x get additional data - a length specificed string containing the domain name, then 16 bytes of data (no idea what it is) */ - int dom_len = CVAL(q, 0); + int dom_len = CVALCONST(q, 0); q++; - if (dom_len < (len - PTR_DIFF(q, buf)) && (dom_len != 0)) { + if (dom_len < (len - PTR_DIFF(q, buf)) + && (dom_len != 0)) q += dom_len + 1; - } q += 16; } @@ -278,10 +287,15 @@ reporting %s domain %s 0x%x ntversion=%x } q += 2; - q += dos_PutUniCode(q, reply_name,sizeof(pstring), True); - q += dos_PutUniCode(q, ascuser, sizeof(pstring), True); - q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True); + q += dos_PutUniCode(q, reply_name, + sizeof(outbuf) - PTR_DIFF(q, outbuf), True); + q += dos_PutUniCode(q, ascuser, + sizeof(outbuf) - PTR_DIFF(q, outbuf), True); + q += dos_PutUniCode(q, global_myworkgroup, + sizeof(outbuf) - PTR_DIFF(q, outbuf), True); + if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8)) + return; /* tell the client what version we are */ SIVAL(q, 0, 1); /* our ntversion */ SSVAL(q, 4, 0xffff); /* our lmnttoken */ @@ -302,8 +316,9 @@ reporting %s domain %s 0x%x ntversion=%x /* Announce change to UAS or SAM. Send by the domain controller when a replication event is required. */ - case SAM_UAS_CHANGE: { - char *q = buf + 2; + case SAM_UAS_CHANGE: + { + const char *q = buf + 2; uint32 low_serial; /* Header */