bec1a9
From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
bec1a9
From: Stefan Metzmacher <metze@samba.org>
bec1a9
Date: Wed, 15 Mar 2017 17:04:30 +0000
bec1a9
Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
bec1a9
 smb_bytes_pull_str()
bec1a9
bec1a9
This function needs to get the whole smb buffer in order to get
bec1a9
the alignment for unicode correct.
bec1a9
bec1a9
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
bec1a9
bec1a9
Signed-off-by: Stefan Metzmacher <metze@samba.org>
bec1a9
Reviewed-by: Jeremy Allison <jra@samba.org>
bec1a9
Reviewed-by: Andreas Schneider <asn@samba.org>
bec1a9
(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
bec1a9
---
bec1a9
 libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
bec1a9
 libcli/smb/smb_util.h        |  3 ++-
bec1a9
 libcli/smb/util.c            | 47 +++++++++++++++++++++++++++++---------------
bec1a9
 3 files changed, 47 insertions(+), 31 deletions(-)
bec1a9
bec1a9
diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
bec1a9
index 9d92aa6aed4..11614df0ae4 100644
bec1a9
--- a/libcli/smb/smb1cli_session.c
bec1a9
+++ b/libcli/smb/smb1cli_session.c
bec1a9
@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
bec1a9
 	p = bytes;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_os,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
 	p += ret;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_lm,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
bec1a9
 	p = bytes;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_os,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
 	p += ret;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_lm,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
 	p += ret;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_primary_domain,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
bec1a9
 	p += out_security_blob_length;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_os,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
 	p += ret;
bec1a9
 
bec1a9
 	status = smb_bytes_pull_str(state, &state->out_native_lm,
bec1a9
-				    use_unicode, p,
bec1a9
-				    bytes+num_bytes-p, &ret;;
bec1a9
+				    use_unicode, bytes, num_bytes,
bec1a9
+				    p, &ret;;
bec1a9
 	if (tevent_req_nterror(req, status)) {
bec1a9
 		return;
bec1a9
 	}
bec1a9
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
bec1a9
index 7e6f0a4ebc4..2884786339d 100644
bec1a9
--- a/libcli/smb/smb_util.h
bec1a9
+++ b/libcli/smb/smb_util.h
bec1a9
@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
bec1a9
 				 const uint8_t *bytes, size_t num_bytes);
bec1a9
 NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
bec1a9
 			    const uint8_t *buf, size_t buf_len,
bec1a9
-			    size_t *pbuf_consumed);
bec1a9
+			    const uint8_t *position,
bec1a9
+			    size_t *_consumed);
bec1a9
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
bec1a9
index ef8c9fafa35..7ef909c6077 100644
bec1a9
--- a/libcli/smb/util.c
bec1a9
+++ b/libcli/smb/util.c
bec1a9
@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
bec1a9
 static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
bec1a9
 					bool ucs2, bool align_odd,
bec1a9
 					const uint8_t *buf, size_t buf_len,
bec1a9
-					size_t *pbuf_consumed)
bec1a9
+					const uint8_t *position,
bec1a9
+					size_t *p_consumed)
bec1a9
 {
bec1a9
 	size_t pad = 0;
bec1a9
+	size_t offset;
bec1a9
 	char *str = NULL;
bec1a9
 	size_t str_len = 0;
bec1a9
 	bool ok;
bec1a9
 
bec1a9
 	*_str = NULL;
bec1a9
-	if (pbuf_consumed != NULL) {
bec1a9
-		*pbuf_consumed = 0;
bec1a9
+	if (p_consumed != NULL) {
bec1a9
+		*p_consumed = 0;
bec1a9
+	}
bec1a9
+
bec1a9
+	if (position < buf) {
bec1a9
+		return NT_STATUS_INTERNAL_ERROR;
bec1a9
+	}
bec1a9
+
bec1a9
+	offset = PTR_DIFF(position, buf);
bec1a9
+	if (offset > buf_len) {
bec1a9
+		return NT_STATUS_BUFFER_TOO_SMALL;
bec1a9
 	}
bec1a9
 
bec1a9
 	if (ucs2 &&
bec1a9
-	    ((align_odd && (buf_len % 2 == 0)) ||
bec1a9
-	     (!align_odd && (buf_len % 2 == 1)))) {
bec1a9
-		if (buf_len < 1) {
bec1a9
-			return NT_STATUS_BUFFER_TOO_SMALL;
bec1a9
-		}
bec1a9
-		pad = 1;
bec1a9
-		buf_len -= pad;
bec1a9
-		buf += pad;
bec1a9
+	    ((align_odd && (offset % 2 == 0)) ||
bec1a9
+	     (!align_odd && (offset % 2 == 1)))) {
bec1a9
+		pad += 1;
bec1a9
+		offset += 1;
bec1a9
+	}
bec1a9
+
bec1a9
+	if (offset > buf_len) {
bec1a9
+		return NT_STATUS_BUFFER_TOO_SMALL;
bec1a9
 	}
bec1a9
 
bec1a9
+	buf_len -= offset;
bec1a9
+	buf += offset;
bec1a9
+
bec1a9
 	if (ucs2) {
bec1a9
 		buf_len = utf16_len_n(buf, buf_len);
bec1a9
 	} else {
bec1a9
@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
bec1a9
 		return map_nt_error_from_unix_common(errno);
bec1a9
 	}
bec1a9
 
bec1a9
-	if (pbuf_consumed != NULL) {
bec1a9
-		*pbuf_consumed = buf_len + pad;
bec1a9
+	if (p_consumed != NULL) {
bec1a9
+		*p_consumed = buf_len + pad;
bec1a9
 	}
bec1a9
 	*_str = str;
bec1a9
-	return NT_STATUS_OK;;
bec1a9
+	return NT_STATUS_OK;
bec1a9
 }
bec1a9
 
bec1a9
 NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
bec1a9
 			    const uint8_t *buf, size_t buf_len,
bec1a9
-			    size_t *_buf_consumed)
bec1a9
+			    const uint8_t *position,
bec1a9
+			    size_t *_consumed)
bec1a9
 {
bec1a9
 	return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
bec1a9
-				       buf, buf_len, _buf_consumed);
bec1a9
+				       buf, buf_len, position, _consumed);
bec1a9
 }
bec1a9
-- 
bec1a9
2.13.1
bec1a9
bec1a9
bec1a9
From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
bec1a9
From: Stefan Metzmacher <metze@samba.org>
bec1a9
Date: Wed, 15 Mar 2017 17:04:44 +0000
bec1a9
Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
bec1a9
 function
bec1a9
bec1a9
This function updates cli->server_{os,type,domain} to valid values
bec1a9
after a session setup.
bec1a9
bec1a9
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
bec1a9
bec1a9
Signed-off-by: Stefan Metzmacher <metze@samba.org>
bec1a9
Reviewed-by: Andreas Schneider <asn@samba.org>
bec1a9
(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
bec1a9
---
bec1a9
 source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
bec1a9
 1 file changed, 52 insertions(+), 22 deletions(-)
bec1a9
bec1a9
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
bec1a9
index a2362ceb863..ef03da17eec 100644
bec1a9
--- a/source3/libsmb/cliconnect.c
bec1a9
+++ b/source3/libsmb/cliconnect.c
bec1a9
@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
bec1a9
 	return NT_STATUS_OK;
bec1a9
 }
bec1a9
 
bec1a9
+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
bec1a9
+						 const char *native_os,
bec1a9
+						 const char *native_lm,
bec1a9
+						 const char *primary_domain)
bec1a9
+{
bec1a9
+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
bec1a9
+
bec1a9
+	if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
bec1a9
+		cli->server_os = talloc_strdup(cli, native_os);
bec1a9
+		if (cli->server_os == NULL) {
bec1a9
+			return NT_STATUS_NO_MEMORY;
bec1a9
+		}
bec1a9
+	}
bec1a9
+
bec1a9
+	if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
bec1a9
+		cli->server_type = talloc_strdup(cli, native_lm);
bec1a9
+		if (cli->server_type == NULL) {
bec1a9
+			return NT_STATUS_NO_MEMORY;
bec1a9
+		}
bec1a9
+	}
bec1a9
+
bec1a9
+	if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
bec1a9
+		cli->server_domain = talloc_strdup(cli, primary_domain);
bec1a9
+		if (cli->server_domain == NULL) {
bec1a9
+			return NT_STATUS_NO_MEMORY;
bec1a9
+		}
bec1a9
+	}
bec1a9
+
bec1a9
+#undef _VALID_STRING
bec1a9
+	return NT_STATUS_OK;
bec1a9
+}
bec1a9
+
bec1a9
 /********************************************************
bec1a9
  Utility function to ensure we always return at least
bec1a9
  a valid char * pointer to an empty string for the
bec1a9
@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
bec1a9
 		subreq, struct tevent_req);
bec1a9
 	struct cli_sesssetup_blob_state *state = tevent_req_data(
bec1a9
 		req, struct cli_sesssetup_blob_state);
bec1a9
-	struct cli_state *cli = state->cli;
bec1a9
 	NTSTATUS status;
bec1a9
 
bec1a9
 	if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
bec1a9
@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
bec1a9
 		return;
bec1a9
 	}
bec1a9
 
bec1a9
-	if (cli->server_os == NULL) {
bec1a9
-		cli->server_os = talloc_move(cli, &state->out_native_os);
bec1a9
-	}
bec1a9
-	if (cli->server_type == NULL) {
bec1a9
-		cli->server_type = talloc_move(cli, &state->out_native_lm);
bec1a9
-	}
bec1a9
-
bec1a9
 	state->status = status;
bec1a9
 
bec1a9
+	status = cli_state_update_after_sesssetup(state->cli,
bec1a9
+						  state->out_native_os,
bec1a9
+						  state->out_native_lm,
bec1a9
+						  NULL);
bec1a9
+	if (tevent_req_nterror(req, status)) {
bec1a9
+		return;
bec1a9
+	}
bec1a9
+
bec1a9
 	if (state->blob.length != 0) {
bec1a9
 		/*
bec1a9
 		 * More to send
bec1a9
@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
bec1a9
 		return;
bec1a9
 	}
bec1a9
 
bec1a9
-	if (cli->server_os == NULL) {
bec1a9
-		cli->server_os = talloc_move(cli, &state->out_native_os);
bec1a9
-	}
bec1a9
-	if (cli->server_type == NULL) {
bec1a9
-		cli->server_type = talloc_move(cli, &state->out_native_lm);
bec1a9
-	}
bec1a9
-	if (cli->server_domain == NULL) {
bec1a9
-		cli->server_domain = talloc_move(cli, &state->out_primary_domain);
bec1a9
+	status = cli_state_update_after_sesssetup(state->cli,
bec1a9
+						  state->out_native_os,
bec1a9
+						  state->out_native_lm,
bec1a9
+						  state->out_primary_domain);
bec1a9
+	if (tevent_req_nterror(req, status)) {
bec1a9
+		return;
bec1a9
 	}
bec1a9
 
bec1a9
 	ok = smb1cli_conn_activate_signing(cli->conn,
bec1a9
@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
bec1a9
 		subreq, struct tevent_req);
bec1a9
 	struct cli_session_setup_creds_state *state = tevent_req_data(
bec1a9
 		req, struct cli_session_setup_creds_state);
bec1a9
-	struct cli_state *cli = state->cli;
bec1a9
 	NTSTATUS status;
bec1a9
 
bec1a9
 	status = smb1cli_session_setup_lm21_recv(subreq, state,
bec1a9
@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
bec1a9
 		return;
bec1a9
 	}
bec1a9
 
bec1a9
-	if (cli->server_os == NULL) {
bec1a9
-		cli->server_os = talloc_move(cli, &state->out_native_os);
bec1a9
-	}
bec1a9
-	if (cli->server_type == NULL) {
bec1a9
-		cli->server_type = talloc_move(cli, &state->out_native_lm);
bec1a9
+	status = cli_state_update_after_sesssetup(state->cli,
bec1a9
+						  state->out_native_os,
bec1a9
+						  state->out_native_lm,
bec1a9
+						  NULL);
bec1a9
+	if (tevent_req_nterror(req, status)) {
bec1a9
+		return;
bec1a9
 	}
bec1a9
 
bec1a9
 	tevent_req_done(req);
bec1a9
-- 
bec1a9
2.13.1
bec1a9