diff options
author | Volker Lendecke <vl@samba.org> | 2015-08-10 12:02:34 +0200 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2015-08-14 13:56:49 +0200 |
commit | e6c8452093cd169958668543872fd4bc13755240 (patch) | |
tree | 020da7861cb73950fc12feb3a447138e6213a440 | |
parent | a431828460a8b069589662ad87e47c61c020eb9c (diff) | |
download | samba-e6c8452093cd169958668543872fd4bc13755240.tar.gz |
libcli: Use iov_buflen in smb2_signing.c
This gives us overflow protection.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Aug 14 13:56:49 CEST 2015 on sn-devel-104
-rw-r--r-- | libcli/smb/smb2_signing.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 489e18bbd11..b72355429ef 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -22,6 +22,7 @@ #include "system/filesys.h" #include "../libcli/smb/smb_common.h" #include "../lib/crypto/crypto.h" +#include "lib/util/iov_buf.h" NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key, enum protocol_types protocol, @@ -217,7 +218,7 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, uint8_t sig[16]; int i; size_t a_total; - size_t m_total = 0; + ssize_t m_total; union { struct aes_ccm_128_context ccm; struct aes_gcm_128_context gcm; @@ -241,8 +242,10 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, } a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; - for (i=1; i < count; i++) { - m_total += vector[i].iov_len; + + m_total = iov_buflen(&vector[1], count-1); + if (m_total == -1) { + return NT_STATUS_BUFFER_TOO_SMALL; } SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED); @@ -311,7 +314,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, uint8_t sig[16]; int i; size_t a_total; - size_t m_total = 0; + ssize_t m_total; uint32_t msg_size = 0; union { struct aes_ccm_128_context ccm; @@ -336,8 +339,10 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, } a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; - for (i=1; i < count; i++) { - m_total += vector[i].iov_len; + + m_total = iov_buflen(&vector[1], count-1); + if (m_total == -1) { + return NT_STATUS_BUFFER_TOO_SMALL; } flags = SVAL(tf, SMB2_TF_FLAGS); |