diff options
author | Guy Harris <guy@alum.mit.edu> | 2019-05-22 09:15:34 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2019-05-22 09:15:34 -0700 |
commit | 944a5e22aab5c62706df1acef419ac6432de8f29 (patch) | |
tree | a081479886c51606f2ca7386ce1d88c2b9695c8e /smbutil.c | |
parent | ae693dc2121f6fe1c7f42ece00b54b16e84c400f (diff) | |
download | tcpdump-944a5e22aab5c62706df1acef419ac6432de8f29.tar.gz |
Don't use leftover string length values.
Before processing an SMB request or response, set the string length
variable to 0, and set a flag indicating whether we *have* a string
length variable to "false". Set the latter to "true" only if we
explicitly set the string length, and if it's not set when we process a
counted string, report an error. (That *shouldn't* happen, but *can*
happen in a malformed packet, such as an NT Create AndX request with a
zero word count, meaning "no word parameters" and thus "no string length
word parameter".)
Diffstat (limited to 'smbutil.c')
-rw-r--r-- | smbutil.c | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -20,10 +20,21 @@ #include "extract.h" #include "smb.h" +static int stringlen_is_set; static uint32_t stringlen; extern const u_char *startbuf; /* + * Reset SMB state. + */ +void +smb_reset(void) +{ + stringlen_is_set = 0; + stringlen = 0; +} + +/* * interpret a 32 bit dos packed date/time to some parameters */ static void @@ -649,6 +660,7 @@ smb_fdata1(netdissect_options *ndo, case 'b': ND_TCHECK_1(buf); stringlen = GET_U_1(buf); + stringlen_is_set = 1; ND_PRINT("%u", stringlen); buf += 1; break; @@ -658,6 +670,7 @@ smb_fdata1(netdissect_options *ndo, ND_TCHECK_2(buf); stringlen = reverse ? GET_BE_U_2(buf) : GET_LE_U_2(buf); + stringlen_is_set = 1; ND_PRINT("%u", stringlen); buf += 2; break; @@ -667,6 +680,7 @@ smb_fdata1(netdissect_options *ndo, ND_TCHECK_4(buf); stringlen = reverse ? GET_BE_U_4(buf) : GET_LE_U_4(buf); + stringlen_is_set = 1; ND_PRINT("%u", stringlen); buf += 4; break; @@ -723,6 +737,10 @@ smb_fdata1(netdissect_options *ndo, } case 'c': { + if (!stringlen_is_set) { + ND_PRINT("{stringlen not set}"); + goto trunc; + } ND_TCHECK_LEN(buf, stringlen); ND_PRINT("%-*.*s", (int)stringlen, (int)stringlen, buf); buf += stringlen; @@ -735,6 +753,10 @@ smb_fdata1(netdissect_options *ndo, { int result; + if (!stringlen_is_set) { + ND_PRINT("{stringlen not set}"); + goto trunc; + } result = unistr(ndo, &strbuf, buf, &stringlen, 0, unicodestr); ND_PRINT("%s", strbuf); if (result == -1) |