summaryrefslogtreecommitdiffstats
path: root/source3/smbd/nttrans.c
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2002-04-16 06:15:28 +0000
committerAndrew Tridgell <tridge@samba.org>2002-04-16 06:15:28 +0000
commite7b729e0d9d6264e85be042b16aa6aee0648fcfd (patch)
tree8afa07d1e9341ee1fd701ec0d1bbdb7a5dab8d12 /source3/smbd/nttrans.c
parenta95d731fa496db9bf4f8173b0661fe080c1bcaed (diff)
downloadsamba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.gz
samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.xz
samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.zip
make sure we don't walk past the end of the current SMB buffer when
pulling a string this might explain a serious filename corruption bug that Quantum QA spotted (This used to be commit a877eae24becad9e0cd5b33ffe0916a20d5ba227)
Diffstat (limited to 'source3/smbd/nttrans.c')
-rw-r--r--source3/smbd/nttrans.c17
1 files changed, 8 insertions, 9 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index edee14513c8..4dec0069f85 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -502,7 +502,7 @@ static int do_ntcreate_pipe_open(connection_struct *conn,
int pnum = -1;
char *p = NULL;
- srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE);
if ((ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum)) != 0)
return ret;
@@ -609,7 +609,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
* Check to see if this is a mac fork of some kind.
*/
- srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE);
if( strchr_m(fname, ':')) {
END_PROFILE(SMBntcreateX);
@@ -635,10 +635,9 @@ int reply_ntcreate_and_X(connection_struct *conn,
dir_name_len++;
}
- srvstr_pull(inbuf, &fname[dir_name_len], smb_buf(inbuf), sizeof(fname)-dir_name_len,
- -1, STR_TERMINATE);
+ srvstr_pull_buf(inbuf, &fname[dir_name_len], smb_buf(inbuf), sizeof(fname)-dir_name_len, STR_TERMINATE);
} else {
- srvstr_pull(inbuf, fname, smb_buf(inbuf), sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull_buf(inbuf, fname, smb_buf(inbuf), sizeof(fname), STR_TERMINATE);
}
/*
@@ -880,7 +879,7 @@ static int do_nt_transact_create_pipe( connection_struct *conn,
return ERROR_DOS(ERRDOS,ERRbadaccess);
}
- srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE);
if ((ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum)) != 0)
return ret;
@@ -1096,7 +1095,7 @@ static int call_nt_transact_create(connection_struct *conn,
* Check to see if this is a mac fork of some kind.
*/
- srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE);
if( strchr_m(fname, ':')) {
return ERROR_NT(NT_STATUS_OBJECT_PATH_NOT_FOUND);
@@ -1122,9 +1121,9 @@ static int call_nt_transact_create(connection_struct *conn,
}
srvstr_pull(inbuf, &fname[dir_name_len], params+53, sizeof(fname)-dir_name_len,
- -1, STR_TERMINATE);
+ total_parameter_count-53, STR_TERMINATE);
} else {
- srvstr_pull(inbuf, fname, params+53, sizeof(fname), -1, STR_TERMINATE);
+ srvstr_pull(inbuf, fname, params+53, sizeof(fname), total_parameter_count-53, STR_TERMINATE);
}
/*