summaryrefslogtreecommitdiffstats
path: root/source/nmbd
diff options
context:
space:
mode:
Diffstat (limited to 'source/nmbd')
-rw-r--r--source/nmbd/nmbd_browsesync.c2
-rw-r--r--source/nmbd/nmbd_elections.c2
-rw-r--r--source/nmbd/nmbd_incomingdgrams.c18
-rw-r--r--source/nmbd/nmbd_packets.c6
-rw-r--r--source/nmbd/nmbd_processlogon.c38
-rw-r--r--source/nmbd/nmbd_sendannounce.c2
6 files changed, 37 insertions, 31 deletions
diff --git a/source/nmbd/nmbd_browsesync.c b/source/nmbd/nmbd_browsesync.c
index 9535a3115a6..54d02aac352 100644
--- a/source/nmbd/nmbd_browsesync.c
+++ b/source/nmbd/nmbd_browsesync.c
@@ -125,7 +125,7 @@ static void announce_local_master_browser_to_domain_master_browser( struct work_
/* The call below does CH_UNIX -> CH_DOS conversion. JRA */
push_pstring_base(p, myname, outbuf);
- p = skip_string(p,1);
+ p = skip_string(outbuf,sizeof(outbuf),p);
if( DEBUGLVL( 4 ) ) {
dbgtext( "announce_local_master_browser_to_domain_master_browser:\n" );
diff --git a/source/nmbd/nmbd_elections.c b/source/nmbd/nmbd_elections.c
index 3aadd70b83c..eb6f1b6e0aa 100644
--- a/source/nmbd/nmbd_elections.c
+++ b/source/nmbd/nmbd_elections.c
@@ -53,7 +53,7 @@ static void send_election_dgram(struct subnet_record *subrec, const char *workgr
strupper_m(srv_name);
/* The following call does UNIX -> DOS charset conversion. */
pstrcpy_base(p, srv_name, outbuf);
- p = skip_string(p,1);
+ p = skip_string(outbuf,sizeof(outbuf),p);
send_mailslot(False, BROWSE_MAILSLOT, outbuf, PTR_DIFF(p,outbuf),
global_myname(), 0,
diff --git a/source/nmbd/nmbd_incomingdgrams.c b/source/nmbd/nmbd_incomingdgrams.c
index 880700c72cb..4f3b3d3a7b4 100644
--- a/source/nmbd/nmbd_incomingdgrams.c
+++ b/source/nmbd/nmbd_incomingdgrams.c
@@ -416,7 +416,7 @@ done:
Process an incoming LanMan host announcement packet.
*******************************************************************/
-void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
{
struct dgram_packet *dgram = &p->packet.dgram;
uint32 servertype = IVAL(buf,1);
@@ -429,10 +429,16 @@ void process_lm_host_announce(struct subnet_record *subrec, struct packet_struct
unstring work_name;
unstring source_name;
fstring comment;
- char *s = buf+9;
+ char *s = get_safe_str_ptr(buf,len,buf,9);
START_PROFILE(lm_host_announce);
- s = skip_string(s,1);
+ if (!s) {
+ goto done;
+ }
+ s = skip_string(buf,len,s);
+ if (!s) {
+ goto done;
+ }
pull_ascii(comment, s, sizeof(fstring), 43, STR_TERMINATE);
pull_ascii_nstring(announce_name,sizeof(announce_name),buf+9);
@@ -568,7 +574,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
myname[15]='\0';
push_pstring_base(p, myname, outbuf);
- p = skip_string(p,1);
+ p = skip_string(outbuf,sizeof(outbuf),p);
/* Look for backup browsers in this workgroup. */
@@ -604,7 +610,7 @@ static void send_backup_list_response(struct subnet_record *subrec,
DEBUG(5,("send_backup_list_response: Adding server %s number %d\n",
p, count));
- p = skip_string(p,1);
+ p = skip_string(outbuf,sizeof(outbuf),p);
}
#endif
@@ -809,7 +815,7 @@ done:
through the "lm announce" parameter in smb.conf)
******************************************************************/
-void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf)
+void process_lm_announce_request(struct subnet_record *subrec, struct packet_struct *p, char *buf, int len)
{
struct dgram_packet *dgram = &p->packet.dgram;
unstring workgroup_name;
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 89362392fe7..87a38b9d2a1 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -1153,10 +1153,10 @@ mismatch with our scope (%s).\n", inet_ntoa(p->ip), scope, global_scope()));
switch (command) {
case ANN_HostAnnouncement:
debug_browse_data(buf, len);
- process_lm_host_announce(subrec, p, buf+1);
+ process_lm_host_announce(subrec, p, buf+1, len > 1 ? len-1 : 0);
break;
case ANN_AnnouncementRequest:
- process_lm_announce_request(subrec, p, buf+1);
+ process_lm_announce_request(subrec, p, buf+1, len > 1 ? len-1 : 0);
break;
default:
DEBUG(0,("process_lanman_packet: On subnet %s ignoring browse packet \
@@ -1899,7 +1899,7 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
SSVAL(ptr,smb_vwv16,2);
p2 = smb_buf(ptr);
safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
- p2 = skip_string(p2,1);
+ p2 = skip_string(ptr,MAX_DGRAM_SIZE,p2);
if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
diff --git a/source/nmbd/nmbd_processlogon.c b/source/nmbd/nmbd_processlogon.c
index 4a8d1db51db..1672b039792 100644
--- a/source/nmbd/nmbd_processlogon.c
+++ b/source/nmbd/nmbd_processlogon.c
@@ -91,7 +91,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
pstrcpy(my_name, global_myname());
- code = SVAL(buf,0);
+ code = get_safe_SVAL(buf,len,buf,0,-1);
DEBUG(4,("process_logon_packet: Logon from %s: code = 0x%x\n", inet_ntoa(p->ip), code));
switch (code) {
@@ -100,21 +100,21 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
fstring mach_str, user_str, getdc_str;
char *q = buf + 2;
char *machine = q;
- char *user = skip_string(machine,1);
+ char *user = skip_string(buf,len,machine);
- if (PTR_DIFF(user, buf) >= len) {
+ if (!user || PTR_DIFF(user, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
- getdc = skip_string(user,1);
+ getdc = skip_string(buf,len,user);
- if (PTR_DIFF(getdc, buf) >= len) {
+ if (!getdc || PTR_DIFF(getdc, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
- q = skip_string(getdc,1);
+ q = skip_string(buf,len,getdc);
- if (PTR_DIFF(q + 5, buf) > len) {
+ if (!q || PTR_DIFF(q + 5, buf) > len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
@@ -136,7 +136,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
fstrcpy(reply_name, "\\\\");
fstrcat(reply_name, my_name);
push_ascii_fstring(q, reply_name);
- q = skip_string(q, 1); /* PDC name */
+ q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
SSVAL(q, 0, token);
q += 2;
@@ -164,15 +164,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
return;
}
- getdc = skip_string(machine,1);
+ getdc = skip_string(buf,len,machine);
- if (PTR_DIFF(getdc, buf) >= len) {
+ if (!getdc || PTR_DIFF(getdc, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
- q = skip_string(getdc,1);
+ q = skip_string(buf,len,getdc);
- if (PTR_DIFF(q, buf) >= len) {
+ if (!q || PTR_DIFF(q, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
@@ -232,7 +232,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
fstrcpy(reply_name,my_name);
push_ascii_fstring(q, reply_name);
- q = skip_string(q, 1); /* PDC name */
+ q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
/* PDC and domain name */
if (!short_request) {
@@ -301,9 +301,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
return;
}
- q = skip_string(getdc,1);
+ q = skip_string(buf,len,getdc);
- if (PTR_DIFF(q + 8, buf) >= len) {
+ if (!q || PTR_DIFF(q + 8, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
@@ -540,16 +540,16 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
/* Domain info */
- q = skip_string(q, 1); /* PDC name */
+ q = skip_string(buf,len,q); /* PDC name */
- if (PTR_DIFF(q, buf) >= len) {
+ if (!q || PTR_DIFF(q, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
- q = skip_string(q, 1); /* Domain name */
+ q = skip_string(buf,len,q); /* Domain name */
- if (PTR_DIFF(q, buf) >= len) {
+ if (!q || PTR_DIFF(q, buf) >= len) {
DEBUG(0,("process_logon_packet: bad packet\n"));
return;
}
diff --git a/source/nmbd/nmbd_sendannounce.c b/source/nmbd/nmbd_sendannounce.c
index 7fcedc557ee..e2dc130463c 100644
--- a/source/nmbd/nmbd_sendannounce.c
+++ b/source/nmbd/nmbd_sendannounce.c
@@ -566,7 +566,7 @@ for workgroup %s on subnet %s.\n", lp_workgroup(), FIRST_SUBNET->subnet_name ));
myname[15]='\0';
push_pstring_base(p, myname, outbuf);
- p = skip_string(p,1);
+ p = skip_string(outbuf,sizeof(outbuf),p);
for (ptr=s; next_token(&ptr,s2,NULL,sizeof(s2)); ) {
/* The entries are of the form a.b.c.d */
generated by cgit (git 2.34.1) at 2024-06-24 22:48:40 +0000