diff options
author | Andrew Tridgell <tridge@samba.org> | 2002-04-16 06:15:28 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2002-04-16 06:15:28 +0000 |
commit | e7b729e0d9d6264e85be042b16aa6aee0648fcfd (patch) | |
tree | 8afa07d1e9341ee1fd701ec0d1bbdb7a5dab8d12 /source3/smbd/nttrans.c | |
parent | a95d731fa496db9bf4f8173b0661fe080c1bcaed (diff) | |
download | samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.gz samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.xz samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.zip |
make sure we don't walk past the end of the current SMB buffer when
pulling a string
this might explain a serious filename corruption bug that Quantum QA spotted
(This used to be commit a877eae24becad9e0cd5b33ffe0916a20d5ba227)
Diffstat (limited to 'source3/smbd/nttrans.c')
-rw-r--r-- | source3/smbd/nttrans.c | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index edee14513c8..4dec0069f85 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -502,7 +502,7 @@ static int do_ntcreate_pipe_open(connection_struct *conn, int pnum = -1; char *p = NULL; - srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE); + srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE); if ((ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum)) != 0) return ret; @@ -609,7 +609,7 @@ int reply_ntcreate_and_X(connection_struct *conn, * Check to see if this is a mac fork of some kind. */ - srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE); + srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE); if( strchr_m(fname, ':')) { END_PROFILE(SMBntcreateX); @@ -635,10 +635,9 @@ int reply_ntcreate_and_X(connection_struct *conn, dir_name_len++; } - srvstr_pull(inbuf, &fname[dir_name_len], smb_buf(inbuf), sizeof(fname)-dir_name_len, - -1, STR_TERMINATE); + srvstr_pull_buf(inbuf, &fname[dir_name_len], smb_buf(inbuf), sizeof(fname)-dir_name_len, STR_TERMINATE); } else { - srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE); + srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE); } /* @@ -880,7 +879,7 @@ static int do_nt_transact_create_pipe( connection_struct *conn, return ERROR_DOS(ERRDOS,ERRbadaccess); } - srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE); + srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE); if ((ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum)) != 0) return ret; @@ -1096,7 +1095,7 @@ static int call_nt_transact_create(connection_struct *conn, * Check to see if this is a mac fork of some kind. */ - srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE); + srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE); if( strchr_m(fname, ':')) { return ERROR_NT(NT_STATUS_OBJECT_PATH_NOT_FOUND); @@ -1122,9 +1121,9 @@ static int call_nt_transact_create(connection_struct *conn, } srvstr_pull(inbuf, &fname[dir_name_len], params+53, sizeof(fname)-dir_name_len, - -1, STR_TERMINATE); + total_parameter_count-53, STR_TERMINATE); } else { - srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE); + srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE); } /* |