CVE-2007-4572-GETDC-buffer-overrun-in-nmbd   [plain text]


Index: samba/source/nmbd/nmbd_processlogon.c
===================================================================
--- samba/source/nmbd/nmbd_processlogon.c.orig
+++ samba/source/nmbd/nmbd_processlogon.c
@@ -135,7 +135,9 @@ logons are not enabled.\n", inet_ntoa(p-
 
 				fstrcpy(reply_name, "\\\\");
 				fstrcat(reply_name, my_name);
-				push_ascii_fstring(q, reply_name);
+				push_ascii(q,reply_name,
+						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+						STR_TERMINATE);
 				q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
 
 				SSVAL(q, 0, token);
@@ -231,7 +233,9 @@ logons are not enabled.\n", inet_ntoa(p-
 				q += 2;
 
 				fstrcpy(reply_name,my_name);
-				push_ascii_fstring(q, reply_name);
+				push_ascii(q, reply_name,
+						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+						STR_TERMINATE);
 				q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
 
 				/* PDC and domain name */
@@ -239,8 +243,15 @@ logons are not enabled.\n", inet_ntoa(p-
 					/* Make a full reply */
 					q = ALIGN2(q, outbuf);
 
-					q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/
+					q += dos_PutUniCode(q, my_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* PDC name */
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* Domain name*/
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					SIVAL(q, 0, 1); /* our nt version */
 					SSVAL(q, 4, 0xffff); /* our lmnttoken */
 					SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -376,9 +387,15 @@ reporting %s domain %s 0x%x ntversion=%x
 
 					q += 2;
 
-					q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
-					q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True);
+					q += dos_PutUniCode(q, reply_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, ascuser,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
 				}
 #ifdef HAVE_ADS
 				else {
@@ -394,6 +411,9 @@ reporting %s domain %s 0x%x ntversion=%x
 					get_mydnsdomname(domain);
 					get_myname(hostname);
 	
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					if (SVAL(uniuser, 0) == 0) {
 						SIVAL(q, 0, SAMLOGON_AD_UNK_R);	/* user unknown */
 					} else {
@@ -406,6 +426,9 @@ reporting %s domain %s 0x%x ntversion=%x
 					q += 4;
 
 					/* Push Domain GUID */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) {
+						return;
+					}
 					if (False == secrets_fetch_domain_guid(domain, &domain_guid)) {
 						DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain));
 						return;
@@ -421,12 +444,20 @@ reporting %s domain %s 0x%x ntversion=%x
 					q1 = q;
 					while ((component = strtok(dc, "."))) {
 						dc = NULL;
-						size = push_ascii(&q[1], component, -1, 0);
+						if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+							return;
+						}
+						size = push_ascii(&q[1], component,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 						SCVAL(q, 0, size);
 						q += (size + 1);
 					}
 
 					/* Unk0 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
@@ -436,44 +467,72 @@ reporting %s domain %s 0x%x ntversion=%x
 					q += 2;
 
 					/* Hostname */
-					size = push_ascii(&q[1], hostname, -1, 0);
+					size = push_ascii(&q[1], hostname,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
+
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) {
+						return;
+					}
+
 					SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
 					SCVAL(q, 1, str_offset & 0xFF);
 					q += 2;
 
 					/* NETBIOS of domain */
-					size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER);
+					size = push_ascii(&q[1], lp_workgroup(),
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							STR_UPPER);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk1 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* NETBIOS of hostname */
-					size = push_ascii(&q[1], my_name, -1, 0);
+					size = push_ascii(&q[1], my_name,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk2 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* User name */
 					if (SVAL(uniuser, 0) != 0) {
-						size = push_ascii(&q[1], ascuser, -1, 0);
+						size = push_ascii(&q[1], ascuser,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 						SCVAL(q, 0, size);
 						q += (size + 1);
 					}
 
 					q_orig = q;
 					/* Site name */
-					size = push_ascii(&q[1], "Default-First-Site-Name", -1, 0);
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+						return;
+					}
+					size = push_ascii(&q[1], "Default-First-Site-Name",
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 18) {
+						return;
+					}
+
 					/* Site name (2) */
 					str_offset = q - q_orig;
 					SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
@@ -494,6 +553,10 @@ reporting %s domain %s 0x%x ntversion=%x
 				}	
 #endif
 
+				if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+					return;
+				}
+
 				/* tell the client what version we are */
 				SIVAL(q, 0, ((ntversion < 11) || (SEC_ADS != lp_security())) ? 1 : 13); 
 				/* our ntversion */
Index: samba/source/lib/charcnv.c
===================================================================
--- samba/source/lib/charcnv.c.orig
+++ samba/source/lib/charcnv.c
@@ -872,9 +872,9 @@ size_t push_ascii(void *dest, const char
 	size_t src_len = strlen(src);
 	pstring tmpbuf;
 
-	/* treat a pstring as "unlimited" length */
+	/* No longer allow a length of -1 */
 	if (dest_len == (size_t)-1)
-		dest_len = sizeof(pstring);
+		smb_panic("push_ascii - dest_len == -1");
 
 	if (flags & STR_UPPER) {
 		pstrcpy(tmpbuf, src);
Index: samba/source/smbd/lanman.c
===================================================================
--- samba/source/smbd/lanman.c.orig
+++ samba/source/smbd/lanman.c
@@ -404,7 +404,7 @@ static void PackDriverData(struct pack_d
 	SIVAL(drivdata,0,sizeof drivdata); /* cb */
 	SIVAL(drivdata,4,1000);	/* lVersion */
 	memset(drivdata+8,0,32);	/* szDeviceName */
-	push_ascii(drivdata+8,"NULL",-1, STR_TERMINATE);
+	push_ascii(drivdata+8,"NULL",32, STR_TERMINATE);
 	PACKl(desc,"l",drivdata,sizeof drivdata); /* pDriverData */
 }
 
Index: samba/source/libsmb/ntlmssp_parse.c
===================================================================
--- samba/source/libsmb/ntlmssp_parse.c.orig
+++ samba/source/libsmb/ntlmssp_parse.c
@@ -152,7 +152,8 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			break;
 		case 'C':
 			s = va_arg(ap, char *);
-			head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, 
+			n = str_charnum(s) + 1;
+			head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
 						STR_ASCII|STR_TERMINATE);
 			break;
 		}