/****************************************************************
Check if an offset into a buffer is safe.
+ If this returns True it's safe to indirect into the byte at
+ pointer ptr+off.
****************************************************************/
BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) {
+ /*
+ * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
+ * NOT ptr[2].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
return failval;
}
- return SVAL(ptr,0);
+ return SVAL(ptr,off);
}
/****************************************************************
int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) {
+ /*
+ * Note we use off+3 here, not off+4 as IVAL accesses
+ * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
return failval;
}
- return IVAL(ptr,0);
+ return IVAL(ptr,off);
}
memset(pass1,'\0',sizeof(pass1));
memset(pass2,'\0',sizeof(pass2));
- if (!is_offset_safe(param,tpscnt,p,32)) {
+ /*
+ * We use 31 here not 32 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,31)) {
return False;
}
memcpy(pass1,p,16);
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))