r24006: Some more paranoia in reply_negprot

Some hosts see the smb_bufrem(req->inbuf, p) as an unsigned int. And as
the p += strlen(p) + 2 went one beyond the buffer, this was a very
large positive. Also take the chance to add one more consistency check.
(This used to be commit 3673707f9f1a3ba29966ac7cf744e2b6462c8dde)

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 61be2e8f9a021b90d55e6672713a82d12d38fd8d..7602490c2d340e53c12c6a84720deb707e6cb7ee 100644 (file)
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -533,7 +533,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
                return;
        }
 
-       p = smb_buf(req->inbuf)+1;
+       p = smb_buf(req->inbuf);
 
        num_cliprotos = 0;
        cliprotos = NULL;
@@ -541,6 +541,16 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
        while (smb_bufrem(req->inbuf, p) > 0) {
                char **tmp;
 
+               if (p[0] != 0x02) {
+                       DEBUG(3, ("Invalid string specifier %x, expected "
+                                 "0x02\n", (int)p[0]));
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       END_PROFILE(SMBnegprot);
+                       return;
+               }
+
+               p += 1; /* Skip the "0x02" */
+
                tmp = TALLOC_REALLOC_ARRAY(tmp_talloc_ctx(), cliprotos, char *,
                                           num_cliprotos+1);
                if (tmp == NULL) {
@@ -566,7 +576,7 @@ void reply_negprot(connection_struct *conn, struct smb_request *req)
                          cliprotos[num_cliprotos]));
 
                num_cliprotos += 1;
-               p += strlen(p) + 2;
+               p += strlen(p) + 1;
        }
 
        for (i=0; i<num_cliprotos; i++) {