svn commit: samba r20362 - in branches: SAMBA_3_0/source/smbd SAMBA_3_0_24/source/smbd

jra at samba.org jra at samba.org
Wed Dec 27 18:51:10 GMT 2006


Author: jra
Date: 2006-12-27 18:51:09 +0000 (Wed, 27 Dec 2006)
New Revision: 20362

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20362

Log:
Fix valgrind issues where we may read params
before checking length. Found by Volker.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/smbd/trans2.c
   branches/SAMBA_3_0_24/source/smbd/trans2.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/trans2.c	2006-12-27 18:36:00 UTC (rev 20361)
+++ branches/SAMBA_3_0/source/smbd/trans2.c	2006-12-27 18:51:09 UTC (rev 20362)
@@ -1640,13 +1640,13 @@
 		requested. */
 	char *params = *pparams;
 	char *pdata = *ppdata;
-	uint32 dirtype = SVAL(params,0);
-	int maxentries = SVAL(params,2);
-	uint16 findfirst_flags = SVAL(params,4);
-	BOOL close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
-	BOOL close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
-	BOOL requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
-	int info_level = SVAL(params,6);
+	uint32 dirtype;
+	int maxentries;
+	uint16 findfirst_flags;
+	BOOL close_after_first;
+	BOOL close_if_end;
+	BOOL requires_resume_key;
+	int info_level;
 	pstring directory;
 	pstring mask;
 	char *p;
@@ -1669,6 +1669,14 @@
 		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 
+	dirtype = SVAL(params,0);
+	maxentries = SVAL(params,2);
+	findfirst_flags = SVAL(params,4);
+	close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
+	close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+	requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+	info_level = SVAL(params,6);
+
 	*directory = *mask = 0;
 
 	DEBUG(3,("call_trans2findfirst: dirtype = %x, maxentries = %d, close_after_first=%d, \
@@ -1908,15 +1916,15 @@
 		requested. */
 	char *params = *pparams;
 	char *pdata = *ppdata;
-	int dptr_num = SVAL(params,0);
-	int maxentries = SVAL(params,2);
-	uint16 info_level = SVAL(params,4);
-	uint32 resume_key = IVAL(params,6);
-	uint16 findnext_flags = SVAL(params,10);
-	BOOL close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
-	BOOL close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
-	BOOL requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
-	BOOL continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+	int dptr_num;
+	int maxentries;
+	uint16 info_level;
+	uint32 resume_key;
+	uint16 findnext_flags;
+	BOOL close_after_request;
+	BOOL close_if_end;
+	BOOL requires_resume_key;
+	BOOL continue_bit;
 	BOOL mask_contains_wcard = False;
 	pstring resume_name;
 	pstring mask;
@@ -1937,6 +1945,16 @@
 		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 
+	dptr_num = SVAL(params,0);
+	maxentries = SVAL(params,2);
+	info_level = SVAL(params,4);
+	resume_key = IVAL(params,6);
+	findnext_flags = SVAL(params,10);
+	close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
+	close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+	requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+	continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+
 	*mask = *directory = *resume_name = 0;
 
 	srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
@@ -2174,7 +2192,7 @@
 {
 	char *pdata = *ppdata;
 	char *params = *pparams;
-	uint16 info_level = SVAL(params,0);
+	uint16 info_level;
 	int data_len, len;
 	SMB_STRUCT_STAT st;
 	char *vname = volume_label(SNUM(conn));
@@ -2182,6 +2200,12 @@
 	char *fstype = lp_fstype(SNUM(conn));
 	int quota_flag = 0;
 
+	if (total_params < 2) {
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
+	info_level = SVAL(params,0);
+
 	DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level));
 
 	if(SMB_VFS_STAT(conn,".",&st)!=0) {

Modified: branches/SAMBA_3_0_24/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0_24/source/smbd/trans2.c	2006-12-27 18:36:00 UTC (rev 20361)
+++ branches/SAMBA_3_0_24/source/smbd/trans2.c	2006-12-27 18:51:09 UTC (rev 20362)
@@ -1640,13 +1640,13 @@
 		requested. */
 	char *params = *pparams;
 	char *pdata = *ppdata;
-	uint32 dirtype = SVAL(params,0);
-	int maxentries = SVAL(params,2);
-	uint16 findfirst_flags = SVAL(params,4);
-	BOOL close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
-	BOOL close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
-	BOOL requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
-	int info_level = SVAL(params,6);
+	uint32 dirtype;
+	int maxentries;
+	uint16 findfirst_flags;
+	BOOL close_after_first;
+	BOOL close_if_end;
+	BOOL requires_resume_key;
+	int info_level;
 	pstring directory;
 	pstring mask;
 	char *p;
@@ -1669,6 +1669,14 @@
 		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 
+	dirtype = SVAL(params,0);
+	maxentries = SVAL(params,2);
+	findfirst_flags = SVAL(params,4);
+	close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
+	close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+	requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+	info_level = SVAL(params,6);
+
 	*directory = *mask = 0;
 
 	DEBUG(3,("call_trans2findfirst: dirtype = %x, maxentries = %d, close_after_first=%d, \
@@ -1908,15 +1916,15 @@
 		requested. */
 	char *params = *pparams;
 	char *pdata = *ppdata;
-	int dptr_num = SVAL(params,0);
-	int maxentries = SVAL(params,2);
-	uint16 info_level = SVAL(params,4);
-	uint32 resume_key = IVAL(params,6);
-	uint16 findnext_flags = SVAL(params,10);
-	BOOL close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
-	BOOL close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
-	BOOL requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
-	BOOL continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+	int dptr_num;
+	int maxentries;
+	uint16 info_level;
+	uint32 resume_key;
+	uint16 findnext_flags;
+	BOOL close_after_request;
+	BOOL close_if_end;
+	BOOL requires_resume_key;
+	BOOL continue_bit;
 	BOOL mask_contains_wcard = False;
 	pstring resume_name;
 	pstring mask;
@@ -1937,6 +1945,16 @@
 		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 
+	dptr_num = SVAL(params,0);
+	maxentries = SVAL(params,2);
+	info_level = SVAL(params,4);
+	resume_key = IVAL(params,6);
+	findnext_flags = SVAL(params,10);
+	close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
+	close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+	requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+	continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+
 	*mask = *directory = *resume_name = 0;
 
 	srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
@@ -2174,7 +2192,7 @@
 {
 	char *pdata = *ppdata;
 	char *params = *pparams;
-	uint16 info_level = SVAL(params,0);
+	uint16 info_level;
 	int data_len, len;
 	SMB_STRUCT_STAT st;
 	char *vname = volume_label(SNUM(conn));
@@ -2182,6 +2200,12 @@
 	char *fstype = lp_fstype(SNUM(conn));
 	int quota_flag = 0;
 
+	if (total_params < 2) {
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
+	info_level = SVAL(params,0);
+
 	DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level));
 
 	if(SMB_VFS_STAT(conn,".",&st)!=0) {



More information about the samba-cvs mailing list