libcli/smb: assert that smb2_signing_{sign,check}_pdu() gets 2-4 iovec elements

We expect the following:

* SMB2 HDR
* SMB2 BODY FIXED
* (optional) SMB2 BODY DYN
* (optional) PADDING

Everything else is a bug.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 6da289dc4342174d817e08a8119cdad7f3a1079b..6c48cdb73d4c0e56546fe620e6d6dfd45d78ee75 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -73,8 +73,16 @@ static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key *signing_key
        gnutls_mac_algorithm_t hmac_algo = GNUTLS_MAC_UNKNOWN;
        int i;
 
+       /*
+        * We expect
+        * - SMB2 HDR
+        * - SMB2 BODY FIXED
+        * - (optional) SMB2 BODY DYN
+        * - (optional) PADDING
+        */
        SMB_ASSERT(count >= 2);
        SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY);
+       SMB_ASSERT(count <= 4);
 
        switch (sign_algo_id) {
        case SMB2_SIGNING_AES128_CMAC:
@@ -171,13 +179,16 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
        uint8_t res[16];
        int i;
 
-       if (count < 2) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-
-       if (vector[0].iov_len != SMB2_HDR_BODY) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
+       /*
+        * We expect
+        * - SMB2 HDR
+        * - SMB2 BODY FIXED
+        * - (optional) SMB2 BODY DYN
+        * - (optional) PADDING
+        */
+       SMB_ASSERT(count >= 2);
+       SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY);
+       SMB_ASSERT(count <= 4);
 
        hdr = (uint8_t *)vector[0].iov_base;
 
@@ -288,8 +299,16 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
        uint8_t res[16];
        NTSTATUS status;
 
+       /*
+        * We expect
+        * - SMB2 HDR
+        * - SMB2 BODY FIXED
+        * - (optional) SMB2 BODY DYN
+        * - (optional) PADDING
+        */
        SMB_ASSERT(count >= 2);
        SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY);
+       SMB_ASSERT(count <= 4);
 
        hdr = (const uint8_t *)vector[0].iov_base;