libcli/smb: fix parsing of compounded messages within a SMB2_TRANSFORM pdu

One SMB2_TRANSFORM pdu wraps multiple SMB2 pdus.

We inject the SMB2_TRANSFORM header to each response which was wrapped
inside. This allows the next layer to verify if the SMB2 pdu was encrypted.

metze

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 58232ba7eaceec442d73b1349e7e7bb876789fb1..05a97268a473ddb2beeedb5318cb8e72ae3b5d6b 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2953,6 +2953,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
        int num_iov = 0;
        size_t taken = 0;
        uint8_t *first_hdr = buf;
+       size_t verified_buflen = 0;
+       uint8_t *tf = NULL;
+       size_t tf_len = 0;
 
        iov = talloc_array(mem_ctx, struct iovec, num_iov);
        if (iov == NULL) {
@@ -2960,8 +2963,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
        }
 
        while (taken < buflen) {
-               uint8_t *tf = NULL;
-               size_t tf_len = 0;
                size_t len = buflen - taken;
                uint8_t *hdr = first_hdr + taken;
                struct iovec *cur;
@@ -2970,6 +2971,13 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
                uint16_t body_size;
                struct iovec *iov_tmp;
 
+               if (verified_buflen > taken) {
+                       len = verified_buflen - taken;
+               } else {
+                       tf = NULL;
+                       tf_len = 0;
+               }
+
                if (len < 4) {
                        DEBUG(10, ("%d bytes left, expected at least %d\n",
                                   (int)len, 4));
@@ -3020,6 +3028,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
                                TALLOC_FREE(iov);
                                return status;
                        }
+
+                       verified_buflen = taken + len;
                }
 
                /*
@@ -3053,9 +3063,6 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
                        if (next_command_ofs > full_size) {
                                goto inval;
                        }
-                       if (tf && next_command_ofs < len) {
-                               goto inval;
-                       }
                        full_size = next_command_ofs;
                }
                if (body_size < 2) {