X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/daa343d8e215a6704ee37399a77a70133df51e01..1a1ac1d6947a7d2f1f50f45c21d8851d0af66575:/smbutil.c

diff --git a/smbutil.c b/smbutil.c
index 69d29c66..a8203bf6 100644
--- a/smbutil.c
+++ b/smbutil.c
@@ -16,13 +16,26 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "netdissect-ctype.h"
+
 #include "netdissect.h"
 #include "extract.h"
 #include "smb.h"
 
+static int stringlen_is_set;
 static uint32_t stringlen;
 extern const u_char *startbuf;
 
+/*
+ * Reset SMB state.
+ */
+void
+smb_reset(void)
+{
+    stringlen_is_set = 0;
+    stringlen = 0;
+}
+
 /*
  * interpret a 32 bit dos packed date/time to some parameters
  */
@@ -340,15 +353,14 @@ write_bits(netdissect_options *ndo,
 
 /* convert a UCS-2 string into an ASCII string */
 #define MAX_UNISTR_SIZE	1000
-static int
+static const u_char *
 unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
-       const u_char *s, uint32_t *len, int is_null_terminated, int use_unicode)
+       const u_char *s, uint32_t strsize, int is_null_terminated,
+       int use_unicode)
 {
     u_int c;
     size_t l = 0;
-    uint32_t strsize;
     const u_char *sp;
-    int padding = 0;
 
     if (use_unicode) {
 	/*
@@ -357,7 +369,6 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 	if (((s - startbuf) % 2) != 0) {
 	    ND_TCHECK_1(s);
 	    s++;
-	    padding++;
 	}
     }
     if (is_null_terminated) {
@@ -370,29 +381,22 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 	if (!use_unicode) {
 	    for (;;) {
 		ND_TCHECK_1(sp);
-		*len += 1;
-		if (GET_U_1(sp) == 0)
-		    break;
+		c = GET_U_1(sp);
 		sp++;
+		strsize++;
+		if (c == '\0')
+		    break;
 	    }
-	    strsize = *len - 1;
 	} else {
 	    for (;;) {
 		ND_TCHECK_2(sp);
-		*len += 2;
-		if (GET_U_1(sp) == 0 && GET_U_1(sp + 1) == 0)
-		    break;
+		c = GET_LE_U_2(sp);
 		sp += 2;
+		strsize += 2;
+		if (c == '\0')
+		    break;
 	    }
-	    strsize = *len - 2;
 	}
-	*len += padding;
-    } else {
-	/*
-	 * Counted string.
-	 */
-	strsize = *len;
-	*len += padding;
     }
     if (!use_unicode) {
     	while (strsize != 0) {
@@ -411,12 +415,14 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 		 * skipping past it.
 		 */
 		ND_TCHECK_LEN(s, strsize);
+		s += strsize;
+		strsize = 0;
 		break;
 	    }
 	    if (l < MAX_UNISTR_SIZE) {
-		if (ND_ISPRINT(c)) {
+		if (ND_ASCII_ISPRINT(c)) {
 		    /* It's a printable ASCII character */
-		    (*buf)[l] = c;
+		    (*buf)[l] = (char)c;
 		} else {
 		    /* It's a non-ASCII character or a non-printable ASCII character */
 		    (*buf)[l] = '.';
@@ -441,12 +447,14 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 		 * skipping past it.
 		 */
 		ND_TCHECK_LEN(s, strsize);
+		s += strsize;
+		strsize = 0;
 		break;
 	    }
 	    if (l < MAX_UNISTR_SIZE) {
-		if (ND_ISPRINT(c)) {
+		if (ND_ASCII_ISPRINT(c)) {
 		    /* It's a printable ASCII character */
-		    (*buf)[l] = c;
+		    (*buf)[l] = (char)c;
 		} else {
 		    /* It's a non-ASCII character or a non-printable ASCII character */
 		    (*buf)[l] = '.';
@@ -461,11 +469,11 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 	}
     }
     (*buf)[l] = 0;
-    return 0;
+    return s;
 
 trunc:
     (*buf)[l] = 0;
-    return -1;
+    return NULL;
 }
 
 static const u_char *
@@ -520,7 +528,7 @@ smb_fdata1(netdissect_options *ndo,
 	    ND_TCHECK_LEN(buf, l);
 	    buf += l;
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
@@ -649,6 +657,7 @@ smb_fdata1(netdissect_options *ndo,
 	    case 'b':
 		ND_TCHECK_1(buf);
 		stringlen = GET_U_1(buf);
+		stringlen_is_set = 1;
 		ND_PRINT("%u", stringlen);
 		buf += 1;
 		break;
@@ -658,6 +667,7 @@ smb_fdata1(netdissect_options *ndo,
 		ND_TCHECK_2(buf);
 		stringlen = reverse ? GET_BE_U_2(buf) :
 				      GET_LE_U_2(buf);
+		stringlen_is_set = 1;
 		ND_PRINT("%u", stringlen);
 		buf += 2;
 		break;
@@ -667,6 +677,7 @@ smb_fdata1(netdissect_options *ndo,
 		ND_TCHECK_4(buf);
 		stringlen = reverse ? GET_BE_U_4(buf) :
 				      GET_LE_U_4(buf);
+		stringlen_is_set = 1;
 		ND_PRINT("%u", stringlen);
 		buf += 4;
 		break;
@@ -678,35 +689,25 @@ smb_fdata1(netdissect_options *ndo,
 	case 'R':	/* like 'S', but always ASCII */
 	  {
 	    /*XXX unistr() */
-	    uint32_t len;
-	    int result;
-
-	    len = 0;
-	    result = unistr(ndo, &strbuf, buf, &len, 1, (*fmt == 'R') ? 0 : unicodestr);
+	    buf = unistr(ndo, &strbuf, buf, 0, 1, (*fmt == 'R') ? 0 : unicodestr);
 	    ND_PRINT("%s", strbuf);
-	    if (result == -1)
+	    if (buf == NULL)
 		goto trunc;
-	    buf += len;
 	    fmt++;
 	    break;
 	  }
 	case 'Z':
 	case 'Y':	/* like 'Z', but always ASCII */
 	  {
-	    uint32_t len;
-	    int result;
-
 	    ND_TCHECK_1(buf);
 	    if (GET_U_1(buf) != 4 && GET_U_1(buf) != 2) {
 		ND_PRINT("Error! ASCIIZ buffer of type %u", GET_U_1(buf));
 		return maxbuf;	/* give up */
 	    }
-	    len = 0;
-	    result = unistr(ndo, &strbuf, buf + 1, &len, 1, (*fmt == 'Y') ? 0 : unicodestr);
+	    buf = unistr(ndo, &strbuf, buf + 1, 0, 1, (*fmt == 'Y') ? 0 : unicodestr);
 	    ND_PRINT("%s", strbuf);
-	    if (result == -1)
+	    if (buf == NULL)
 		goto trunc;
-	    buf += len + 1;
 	    fmt++;
 	    break;
 	  }
@@ -717,29 +718,34 @@ smb_fdata1(netdissect_options *ndo,
 	    ND_PRINT("%-*.*s", l, l, buf);
 	    buf += l;
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
 	case 'c':
 	  {
+            if (!stringlen_is_set) {
+                ND_PRINT("{stringlen not set}");
+                goto trunc;
+            }
 	    ND_TCHECK_LEN(buf, stringlen);
 	    ND_PRINT("%-*.*s", (int)stringlen, (int)stringlen, buf);
 	    buf += stringlen;
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
 	case 'C':
 	  {
-	    int result;
-
-	    result = unistr(ndo, &strbuf, buf, &stringlen, 0, unicodestr);
+            if (!stringlen_is_set) {
+                ND_PRINT("{stringlen not set}");
+                goto trunc;
+            }
+	    buf = unistr(ndo, &strbuf, buf, stringlen, 0, unicodestr);
 	    ND_PRINT("%s", strbuf);
-	    if (result == -1)
+	    if (buf == NULL)
 		goto trunc;
-	    buf += stringlen;
 	    fmt++;
 	    break;
 	  }
@@ -752,7 +758,7 @@ smb_fdata1(netdissect_options *ndo,
 		buf++;
 	    }
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
@@ -785,7 +791,7 @@ smb_fdata1(netdissect_options *ndo,
 		break;
 	    }
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
@@ -834,7 +840,7 @@ smb_fdata1(netdissect_options *ndo,
 		tstring = "NULL\n";
 	    ND_PRINT("%s", tstring);
 	    fmt++;
-	    while (isdigit((unsigned char)*fmt))
+	    while (ND_ASCII_ISDIGIT(*fmt))
 		fmt++;
 	    break;
 	  }
@@ -867,11 +873,26 @@ smb_fdata(netdissect_options *ndo,
     while (*fmt) {
 	switch (*fmt) {
 	case '*':
+	    /*
+	     * List of multiple instances of something described by the
+	     * remainder of the string (which may itself include a list
+	     * of multiple instances of something, so we recurse).
+	     */
 	    fmt++;
 	    while (buf < maxbuf) {
 		const u_char *buf2;
 		depth++;
-		buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
+		/*
+		 * In order to avoid stack exhaustion recurse at most 10
+		 * levels; that "should not happen", as no SMB structure
+		 * should be nested *that* deeply, and we thus shouldn't
+		 * have format strings with that level of nesting.
+		 */
+		if (depth == 10) {
+			ND_PRINT("(too many nested levels, not recursing)");
+			buf2 = buf;
+		} else
+			buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
 		depth--;
 		if (buf2 == NULL)
 		    return(NULL);
@@ -882,22 +903,35 @@ smb_fdata(netdissect_options *ndo,
 	    return(buf);
 
 	case '|':
+	    /*
+	     * Just do a bounds check.
+	     */
 	    fmt++;
 	    if (buf >= maxbuf)
 		return(buf);
 	    break;
 
 	case '%':
+	    /*
+	     * XXX - unused?
+	     */
 	    fmt++;
 	    buf = maxbuf;
 	    break;
 
 	case '#':
+	    /*
+	     * Done?
+	     */
 	    fmt++;
 	    return(buf);
 	    break;
 
 	case '[':
+	    /*
+	     * Format of an item, enclosed in square brackets; dissect
+	     * the item with smb_fdata1().
+	     */
 	    fmt++;
 	    if (buf >= maxbuf)
 		return(buf);
@@ -925,6 +959,9 @@ smb_fdata(netdissect_options *ndo,
 	    break;
 
 	default:
+	    /*
+	     * Not a formatting character, so just print it.
+	     */
 	    ND_PRINT("%c", *fmt);
 	    fmt++;
 	    break;
@@ -1070,17 +1107,17 @@ smb_errstr(int class, int num)
 		const err_code_struct *err = err_classes[i].err_msgs;
 		for (j = 0; err[j].name; j++)
 		    if (num == err[j].code) {
-			nd_snprintf(ret, sizeof(ret), "%s - %s (%s)",
+			snprintf(ret, sizeof(ret), "%s - %s (%s)",
 			    err_classes[i].class, err[j].name, err[j].message);
 			return ret;
 		    }
 	    }
 
-	    nd_snprintf(ret, sizeof(ret), "%s - %d", err_classes[i].class, num);
+	    snprintf(ret, sizeof(ret), "%s - %d", err_classes[i].class, num);
 	    return ret;
 	}
 
-    nd_snprintf(ret, sizeof(ret), "ERROR: Unknown error (%d,%d)", class, num);
+    snprintf(ret, sizeof(ret), "ERROR: Unknown error (%d,%d)", class, num);
     return(ret);
 }
 
@@ -1961,6 +1998,6 @@ nt_errstr(uint32_t err)
 	    return nt_errors[i].name;
     }
 
-    nd_snprintf(ret, sizeof(ret), "0x%08x", err);
+    snprintf(ret, sizeof(ret), "0x%08x", err);
     return ret;
 }