SMB: Add two missing bounds checks

[tcpdump] / print-smb.c

diff --git a/print-smb.c b/print-smb.c
index d12779d8a19bb7aebb2afde43412af9f1dde3589..9254b546019ad4c239f6f1b2dd66b1d134906797 100644 (file)
--- a/print-smb.c
+++ b/print-smb.c
@@ -374,15 +374,21 @@ print_trans(netdissect_options *ndo,
     if (bcc > 0) {
        smb_fdata(ndo, data1 + 2, f2, maxbuf - (paramlen + datalen), unicodestr);
 
-       if (strcmp((const char *)(data1 + 2), "\\MAILSLOT\\BROWSE") == 0) {
+#define MAILSLOT_BROWSE_STR "\\MAILSLOT\\BROWSE"
+       ND_TCHECK_LEN(data1 + 2, strlen(MAILSLOT_BROWSE_STR) + 1);
+       if (strcmp((const char *)(data1 + 2), MAILSLOT_BROWSE_STR) == 0) {
            print_browse(ndo, param, paramlen, data, datalen);
            return;
        }
+#undef MAILSLOT_BROWSE_STR
 
-       if (strcmp((const char *)(data1 + 2), "\\PIPE\\LANMAN") == 0) {
+#define PIPE_LANMAN_STR "\\PIPE\\LANMAN"
+       ND_TCHECK_LEN(data1 + 2, strlen(PIPE_LANMAN_STR) + 1);
+       if (strcmp((const char *)(data1 + 2), PIPE_LANMAN_STR) == 0) {
            print_ipc(ndo, param, paramlen, data, datalen);
            return;
        }
+#undef PIPE_LANMAN_STR
 
        if (paramlen)
            smb_fdata(ndo, param, f3, min(param + paramlen, maxbuf), unicodestr);
@@ -419,7 +425,7 @@ print_negprot(netdissect_options *ndo,
        smb_fdata(ndo, words + 1, f1, min(words + 1 + wct * 2, maxbuf),
            unicodestr);
     else
-       smb_data_print(ndo, words + 1, min(wct * 2, PTR_DIFF(maxbuf, words + 1)));
+       smb_data_print(ndo, words + 1, min(wct * 2, ND_BYTES_BETWEEN(maxbuf, words + 1)));
 
     ND_TCHECK_2(data);
     bcc = GET_LE_U_2(data);
@@ -430,7 +436,7 @@ print_negprot(netdissect_options *ndo,
                                              maxbuf), unicodestr);
        else
            smb_data_print(ndo, data + 2,
-                           min(GET_LE_U_2(data), PTR_DIFF(maxbuf, data + 2)));
+                           min(GET_LE_U_2(data), ND_BYTES_BETWEEN(maxbuf, data + 2)));
     }
     return;
 trunc:
@@ -464,7 +470,7 @@ print_sesssetup(netdissect_options *ndo,
        smb_fdata(ndo, words + 1, f1, min(words + 1 + wct * 2, maxbuf),
            unicodestr);
     else
-       smb_data_print(ndo, words + 1, min(wct * 2, PTR_DIFF(maxbuf, words + 1)));
+       smb_data_print(ndo, words + 1, min(wct * 2, ND_BYTES_BETWEEN(maxbuf, words + 1)));
 
     ND_TCHECK_2(data);
     bcc = GET_LE_U_2(data);
@@ -475,7 +481,7 @@ print_sesssetup(netdissect_options *ndo,
                                              maxbuf), unicodestr);
        else
            smb_data_print(ndo, data + 2,
-                           min(GET_LE_U_2(data), PTR_DIFF(maxbuf, data + 2)));
+                           min(GET_LE_U_2(data), ND_BYTES_BETWEEN(maxbuf, data + 2)));
     }
     return;
 trunc:
@@ -516,7 +522,7 @@ print_lockingandx(netdissect_options *ndo,
                                              maxbuf), unicodestr);
        else
            smb_data_print(ndo, data + 2,
-                           min(GET_LE_U_2(data), PTR_DIFF(maxbuf, data + 2)));
+                           min(GET_LE_U_2(data), ND_BYTES_BETWEEN(maxbuf, data + 2)));
     }
     return;
 trunc:
@@ -809,6 +815,8 @@ print_smb(netdissect_options *ndo,
         "[P4]SMB Command   =  [B]\nError class   =  [BP1]\nError code    =  [u]\nFlags1        =  [B]\nFlags2        =  [B][P13]\nTree ID       =  [u]\nProc ID       =  [u]\nUID           =  [u]\nMID           =  [u]\nWord Count    =  [b]\n";
     u_int smboffset;
 
+    ndo->ndo_protocol = "smb";
+
     ND_TCHECK_1(buf + 9);
     request = (GET_U_1(buf + 9) & 0x80) ? 0 : 1;
     startbuf = buf;
@@ -865,6 +873,7 @@ print_smb(netdissect_options *ndo,
            f2 = fn->descript.rep_f2;
        }
 
+       smb_reset();
        if (fn->descript.fn)
            (*fn->descript.fn)(ndo, words, data, buf, maxbuf);
        else {
@@ -892,7 +901,7 @@ print_smb(netdissect_options *ndo,
            } else {
                if (bcc > 0) {
                    ND_PRINT("smb_buf[]=\n");
-                   smb_data_print(ndo, data + 2, min(bcc, PTR_DIFF(maxbuf, data + 2)));
+                   smb_data_print(ndo, data + 2, min(bcc, ND_BYTES_BETWEEN(maxbuf, data + 2)));
                }
            }
        }