Permalink
Browse files

Merged patch to prevent SMB buffer overrun

Merged the patch provided by an open-source contributer
which strengthens the range checks for in incoming off-the-wire
SMB pack, eliminating a buffer overrun which was observed by
this contributer.
Cleaned up misc EOL whitespace.

Change-Id: I7baaf9ba572133e7d8d8aeed2636f65424032549
  • Loading branch information...
numberer6 committed Sep 13, 2017
1 parent 1e81f09 commit cb772afb0633758069e3383cb59703af3fac5eae
Showing with 35 additions and 3 deletions.
  1. +35 −3 lwio/server/smbcommon/wire_negotiate.c
@@ -151,13 +151,39 @@ UnmarshallNegotiateRequest(
NEGOTIATE_REQUEST_HEADER* pHeader = NULL;
uint32_t bufferLeft = bufferLen;
if (bufferLeft < sizeof(NEGOTIATE_REQUEST_HEADER))
if (!pBuffer || bufferLeft < sizeof(NEGOTIATE_REQUEST_HEADER))
{
return EBADMSG;
LW_RTL_LOG_VERBOSE(
"Invalid request packet: Only %u bytes available, "
"We need at least %u bytes for a NEGOTIATE_REQUEST_HEADER",
pBuffer ? bufferLen : 0,
sizeof(NEGOTIATE_REQUEST_HEADER)
);
return STATUS_INVALID_NETWORK_RESPONSE;
}
pHeader = (NEGOTIATE_REQUEST_HEADER*)pBuffer;
if (pHeader->byteCount < 2)
{
LW_RTL_LOG_VERBOSE(
"Invalid request packet: The value of Byte Count (BCC) parameter "
"of SMB Negotiate request is %u. It should be at least 2.",
pHeader->byteCount);
return STATUS_INVALID_NETWORK_RESPONSE;
}
if (bufferLeft != sizeof(NEGOTIATE_REQUEST_HEADER) + pHeader->byteCount)
{
LW_RTL_LOG_VERBOSE(
"Invalid request packet: The value of Byte Count (BCC) parameter of "
"SMB Negotiate request is %u. However, remaining buffer size is %u.",
pHeader->byteCount,
(bufferLeft - sizeof(NEGOTIATE_REQUEST_HEADER))
);
return STATUS_INVALID_NETWORK_RESPONSE;
}
/* NOTE: The buffer format cannot be trusted! */
NEGOTIATE_REQUEST_DIALECT *pDialect = (NEGOTIATE_REQUEST_DIALECT*) (pBuffer + sizeof(NEGOTIATE_REQUEST_HEADER));
@@ -170,7 +196,13 @@ UnmarshallNegotiateRequest(
/* If the last string was (sneakily) not null terminated, bail! */
if (len > bufferLeft)
return EBADMSG;
{
LW_RTL_LOG_VERBOSE(
"Invalid request packet:Malformed SMB Negotiate "
"request:Dialect Name is not null terminated."
);
return STATUS_INVALID_NETWORK_RESPONSE;
}
if (i < *pDialectCount)
pszDialects[i] = (uchar8_t *) pDialect->szDialectName;

0 comments on commit cb772af

Please sign in to comment.