Add check for invalid data size.
[kamenim/samba.git] / source3 / smbd / nttrans.c
index 9b838a616dc4525876dcb594182de35f478dc74c..9b3085c327d00108d5bbd389e4b3043fbc4f04a5 100644 (file)
@@ -20,6 +20,7 @@
 
 #include "includes.h"
 #include "smbd/globals.h"
+#include "fake_file.h"
 #include "../librpc/gen_ndr/ndr_security.h"
 
 extern const struct generic_mapping file_generic_mapping;
@@ -58,7 +59,7 @@ void send_nt_replies(connection_struct *conn,
        int params_sent_thistime, data_sent_thistime, total_sent_thistime;
        int alignment_offset = 3;
        int data_alignment_offset = 0;
-       struct smbd_server_connection *sconn = smbd_server_conn;
+       struct smbd_server_connection *sconn = req->sconn;
        int max_send = sconn->smb1.sessions.max_send;
 
        /*
@@ -74,7 +75,7 @@ void send_nt_replies(connection_struct *conn,
                                         __LINE__,__FILE__);
                }
                show_msg((char *)req->outbuf);
-               if (!srv_send_smb(smbd_server_fd(),
+               if (!srv_send_smb(sconn,
                                (char *)req->outbuf,
                                true, req->seqnum+1,
                                IS_CONN_ENCRYPTED(conn),
@@ -243,7 +244,7 @@ void send_nt_replies(connection_struct *conn,
 
                /* Send the packet */
                show_msg((char *)req->outbuf);
-               if (!srv_send_smb(smbd_server_fd(),
+               if (!srv_send_smb(sconn,
                                (char *)req->outbuf,
                                true, req->seqnum+1,
                                IS_CONN_ENCRYPTED(conn),
@@ -835,6 +836,10 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
        struct security_descriptor *psd = NULL;
        NTSTATUS status;
 
+       if (!CAN_WRITE(fsp->conn)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
                return NT_STATUS_OK;
        }
@@ -849,7 +854,7 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
                security_info_sent &= ~SECINFO_OWNER;
        }
        if (psd->group_sid == NULL) {
-               security_info_sent &= ~GROUP_SECURITY_INFORMATION;
+               security_info_sent &= ~SECINFO_GROUP;
        }
 
        /* Convert all the generic bits. */
@@ -1277,9 +1282,9 @@ void reply_ntcancel(struct smb_request *req)
         */
 
        START_PROFILE(SMBntcancel);
-       srv_cancel_sign_response(smbd_server_conn);
-       remove_pending_change_notify_requests_by_mid(req->mid);
-       remove_pending_lock_requests_by_mid_smb1(req->mid);
+       srv_cancel_sign_response(req->sconn);
+       remove_pending_change_notify_requests_by_mid(req->sconn, req->mid);
+       remove_pending_lock_requests_by_mid_smb1(req->sconn, req->mid);
 
        DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
                (unsigned long long)req->mid));
@@ -1679,7 +1684,7 @@ static void call_nt_transact_notify_change(connection_struct *conn,
                 * here.
                 */
 
-               change_notify_reply(fsp->conn, req,
+               change_notify_reply(req,
                                    NT_STATUS_OK,
                                    max_param_count,
                                    fsp->notify,
@@ -1806,10 +1811,10 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
        /* If the SACL/DACL is NULL, but was requested, we mark that it is
         * present in the reply to match Windows behavior */
        if (psd->sacl == NULL &&
-           security_info_wanted & SACL_SECURITY_INFORMATION)
+           security_info_wanted & SECINFO_SACL)
                psd->type |= SEC_DESC_SACL_PRESENT;
        if (psd->dacl == NULL &&
-           security_info_wanted & DACL_SECURITY_INFORMATION)
+           security_info_wanted & SECINFO_DACL)
                psd->type |= SEC_DESC_DACL_PRESENT;
 
        *psd_size = ndr_size_security_descriptor(psd, 0);
@@ -1966,6 +1971,11 @@ static void call_nt_transact_set_security_desc(connection_struct *conn,
                return;
        }
 
+       if (!CAN_WRITE(fsp->conn)) {
+               reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+               return;
+       }
+
        if(!lp_nt_acl_support(SNUM(conn))) {
                goto done;
        }
@@ -2051,7 +2061,7 @@ static void call_nt_transact_ioctl(connection_struct *conn,
 
                DEBUG(10,("FSCTL_CREATE_OR_GET_OBJECT_ID: called on FID[0x%04X]\n",fidnum));
 
-               if (!fsp_belongs_conn(conn, req, fsp)) {
+               if (!check_fsp_open(conn, req, fsp)) {
                        return;
                }
 
@@ -2108,7 +2118,7 @@ static void call_nt_transact_ioctl(connection_struct *conn,
                uint32 i;
                char *cur_pdata;
 
-               if (!fsp_belongs_conn(conn, req, fsp)) {
+               if (!check_fsp_open(conn, req, fsp)) {
                        return;
                }
 
@@ -2227,14 +2237,21 @@ static void call_nt_transact_ioctl(connection_struct *conn,
                 */
                struct dom_sid sid;
                uid_t uid;
-               size_t sid_len = MIN(data_count-4,SID_MAX_SIZE);
+               size_t sid_len;
 
                DEBUG(10,("FSCTL_FIND_FILES_BY_SID: called on FID[0x%04X]\n",fidnum));
 
-               if (!fsp_belongs_conn(conn, req, fsp)) {
+               if (!check_fsp_open(conn, req, fsp)) {
                        return;
                }
 
+               if (data_count < 8) {
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       return;
+               }
+
+               sid_len = MIN(data_count-4,SID_MAX_SIZE);
+
                /* unknown 4 bytes: this is not the length of the sid :-(  */
                /*unknown = IVAL(pdata,0);*/
 
@@ -2281,7 +2298,7 @@ static void call_nt_transact_ioctl(connection_struct *conn,
                NTSTATUS status;
                uint64_t offset, length;
 
-               if (!fsp_belongs_conn(conn, req, fsp)) {
+               if (!check_fsp_open(conn, req, fsp)) {
                        return;
                }