Update the smbd reply code a little:

I don't like the idea of muliple netprots - becouse I see potential problems
with people being able to maniplate internal samba variables.

This applies in particular to remote names, so don't allow muliple session
requests either.

Also remove a pstrcpy() from the tcon code, we really don't need it.

Andrew Bartlett

diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c
index 81c2427a003124169707d1589be2cfbc5e843afb..abe44aac8c537691509f859f3bb51f66c4489c0e 100644 (file)
--- a/source/smbd/negprot.c
+++ b/source/smbd/negprot.c
@@ -412,8 +412,17 @@ int reply_negprot(connection_struct *conn,
        char *p;
        int bcc = SVAL(smb_buf(inbuf),-2);
        int arch = ARCH_ALL;
+
+       static BOOL done_negprot = False;
+
        START_PROFILE(SMBnegprot);
 
+       if (done_negprot) {
+               END_PROFILE(SMBnegprot);
+               exit_server("multiple negprot's are not permitted");
+       }
+       done_negprot = True;
+
        p = smb_buf(inbuf)+1;
        while (p < (smb_buf(inbuf) + bcc)) { 
                Index++;

diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index 8f666910a5172131ac1a5b14a24fa16e8b9c7cd5..813b9f39f88029068c71ff9d1458faa864cb59c6 100644 (file)
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -57,6 +57,8 @@ int reply_special(char *inbuf,char *outbuf)
        int len;
        char name_type = 0;
        
+       static BOOL already_got_session = False;
+
        *name1 = *name2 = 0;
        
        memset(outbuf,'\0',smb_size);
@@ -65,6 +67,11 @@ int reply_special(char *inbuf,char *outbuf)
        
        switch (msg_type) {
        case 0x81: /* session request */
+               
+               if (already_got_session) {
+                       exit_server("multiple session request not permitted");
+               }
+               
                SCVAL(outbuf,0,0x82);
                SCVAL(outbuf,3,0);
                if (name_len(inbuf+4) > 50 || 
@@ -115,6 +122,7 @@ int reply_special(char *inbuf,char *outbuf)
 
                claim_connection(NULL,"",MAXSTATUS,True);
 
+               already_got_session = True;
                break;
                
        case 0x89: /* session keepalive request 
@@ -148,7 +156,8 @@ int reply_special(char *inbuf,char *outbuf)
 int reply_tcon(connection_struct *conn,
               char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
 {
-       pstring service;
+       char *service;
+       pstring service_buf;
        pstring password;
        pstring dev;
        int outsize = 0;
@@ -160,17 +169,19 @@ int reply_tcon(connection_struct *conn,
        
        START_PROFILE(SMBtcon);
 
-       *service = *password = *dev = 0;
+       *service_buf = *password = *dev = 0;
 
        p = smb_buf(inbuf)+1;
-       p += srvstr_pull_buf(inbuf, service, p, sizeof(service), STR_TERMINATE) + 1;
+       p += srvstr_pull_buf(inbuf, service_buf, p, sizeof(service), STR_TERMINATE) + 1;
        pwlen = srvstr_pull_buf(inbuf, password, p, sizeof(password), STR_TERMINATE) + 1;
        p += pwlen;
        p += srvstr_pull_buf(inbuf, dev, p, sizeof(dev), STR_TERMINATE) + 1;
 
-       p = strrchr_m(service,'\\');
+       p = strrchr_m(service_buf,'\\');
        if (p) {
-               pstrcpy(service, p+1);
+               service = p+1;
+       } else {
+               service = service_buf;
        }
 
        password_blob = data_blob(password, pwlen+1);