svn commit: samba r6268 - in trunk/source/smbd: .
jra at samba.org
jra at samba.org
Sun Apr 10 06:57:46 GMT 2005
Author: jra
Date: 2005-04-10 06:57:46 +0000 (Sun, 10 Apr 2005)
New Revision: 6268
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6268
Log:
With help from Marcel M?\195?\188ller <mueller at maazl.de> in tracking down the bug,
fix trans2 and nttrans secondary packet processing. We were being too strict checking
the incoming packet (by 1 byte).
Jeremy.
Modified:
trunk/source/smbd/nttrans.c
trunk/source/smbd/trans2.c
Changeset:
Modified: trunk/source/smbd/nttrans.c
===================================================================
--- trunk/source/smbd/nttrans.c 2005-04-10 04:27:18 UTC (rev 6267)
+++ trunk/source/smbd/nttrans.c 2005-04-10 06:57:46 UTC (rev 6268)
@@ -2946,6 +2946,9 @@
ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+ /* We need to re-calcuate the new length after we've read the secondary packet. */
+ length = smb_len(inbuf) + 4;
+
/*
* The sequence number for the trans reply is always
* based on the last secondary received.
@@ -2993,7 +2996,7 @@
goto bad_param;
if (parameter_displacement > total_parameter_count)
goto bad_param;
- if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
(smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
goto bad_param;
if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@
goto bad_param;
if (data_displacement > total_data_count)
goto bad_param;
- if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
(smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
goto bad_param;
if (data_displacement + data < data)
Modified: trunk/source/smbd/trans2.c
===================================================================
--- trunk/source/smbd/trans2.c 2005-04-10 04:27:18 UTC (rev 6267)
+++ trunk/source/smbd/trans2.c 2005-04-10 06:57:46 UTC (rev 6268)
@@ -4885,6 +4885,9 @@
unsigned int data_off;
ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+
+ /* We need to re-calcuate the new length after we've read the secondary packet. */
+ length = smb_len(inbuf) + 4;
/*
* The sequence number for the trans reply is always
@@ -4932,7 +4935,7 @@
goto bad_param;
if (param_disp > total_params)
goto bad_param;
- if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + param_off + num_params > inbuf + length) ||
(smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
goto bad_param;
if (params + param_disp < params)
@@ -4948,7 +4951,7 @@
goto bad_param;
if (data_disp > total_data)
goto bad_param;
- if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + data_off + num_data > inbuf + length) ||
(smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
goto bad_param;
if (data + data_disp < data)
More information about the samba-cvs
mailing list