svn commit: samba r16705 - in branches/SAMBA_4_0/source: libcli/smb2 smb_server/smb2

metze at samba.org metze at samba.org
Thu Jun 29 23:11:08 GMT 2006 

Author: metze
Date: 2006-06-29 23:11:07 +0000 (Thu, 29 Jun 2006)
New Revision: 16705

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16705

Log:
fix a bug found by valgrind...
as we setup the 1 padding byte for non present dynamic part,
we need to overwrite it when we're getting a real dynamic part,
so we need to remove the buf->size +=1 when we do the first
push to the dynamic part (when buf->dynamic is still but->body + buf->body_fixed)

metze
Modified:
   branches/SAMBA_4_0/source/libcli/smb2/request.c
   branches/SAMBA_4_0/source/libcli/smb2/smb2.h
   branches/SAMBA_4_0/source/libcli/smb2/transport.c
   branches/SAMBA_4_0/source/smb_server/smb2/receive.c


Changeset:
Modified: branches/SAMBA_4_0/source/libcli/smb2/request.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/smb2/request.c	2006-06-29 22:44:04 UTC (rev 16704)
+++ branches/SAMBA_4_0/source/libcli/smb2/request.c	2006-06-29 23:11:07 UTC (rev 16705)
@@ -69,6 +69,7 @@
 
 	req->out.hdr       = req->out.buffer + NBT_HDR_SIZE;
 	req->out.body      = req->out.hdr + SMB2_HDR_BODY;
+	req->out.body_fixed= body_fixed_size;
 	req->out.body_size = body_fixed_size;
 	req->out.dynamic   = (body_dynamic_size ? req->out.body + body_fixed_size : NULL);
 
@@ -198,6 +199,14 @@
 	return n - (offset & (n-1));
 }
 
+static size_t smb2_padding_fix(struct smb2_request_buffer *buf)
+{
+	if (buf->dynamic == (buf->body + buf->body_fixed)) {
+		return 1;
+	}
+	return 0;
+}
+
 /*
   grow a SMB2 buffer by the specified amount
 */
@@ -261,6 +270,7 @@
 	NTSTATUS status;
 	size_t offset;
 	size_t padding_length;
+	size_t padding_fix;
 	uint8_t *ptr = buf->body+ofs;
 
 	if (buf->dynamic == NULL) {
@@ -286,6 +296,7 @@
 	offset = buf->dynamic - buf->hdr;
 	padding_length = smb2_padding_size(offset, 2);
 	offset += padding_length;
+	padding_fix = smb2_padding_fix(buf);
 
 	SSVAL(ptr, 0, offset);
 	SSVAL(ptr, 2, blob.length);
@@ -299,8 +310,8 @@
 	memcpy(buf->dynamic, blob.data, blob.length);
 	buf->dynamic += blob.length;
 
-	buf->size += blob.length + padding_length;
-	buf->body_size += blob.length + padding_length;
+	buf->size += blob.length + padding_length - padding_fix;
+	buf->body_size += blob.length + padding_length - padding_fix;
 
 	return NT_STATUS_OK;
 }
@@ -317,6 +328,7 @@
 	NTSTATUS status;
 	size_t offset;
 	size_t padding_length;
+	size_t padding_fix;
 	uint8_t *ptr = buf->body+ofs;
 
 	if (buf->dynamic == NULL) {
@@ -337,6 +349,7 @@
 	offset = buf->dynamic - buf->hdr;
 	padding_length = smb2_padding_size(offset, 2);
 	offset += padding_length;
+	padding_fix = smb2_padding_fix(buf);
 
 	SSVAL(ptr, 0, offset);
 	SIVAL(ptr, 2, blob.length);
@@ -350,8 +363,8 @@
 	memcpy(buf->dynamic, blob.data, blob.length);
 	buf->dynamic += blob.length;
 
-	buf->size += blob.length + padding_length;
-	buf->body_size += blob.length + padding_length;
+	buf->size += blob.length + padding_length - padding_fix;
+	buf->body_size += blob.length + padding_length - padding_fix;
 
 	return NT_STATUS_OK;
 }
@@ -368,6 +381,7 @@
 	NTSTATUS status;
 	size_t offset;
 	size_t padding_length;
+	size_t padding_fix;
 	uint8_t *ptr = buf->body+ofs;
 
 	if (buf->dynamic == NULL) {
@@ -388,6 +402,7 @@
 	offset = buf->dynamic - buf->hdr;
 	padding_length = smb2_padding_size(offset, 8);
 	offset += padding_length;
+	padding_fix = smb2_padding_fix(buf);
 
 	SIVAL(ptr, 0, offset);
 	SIVAL(ptr, 4, blob.length);
@@ -401,8 +416,8 @@
 	memcpy(buf->dynamic, blob.data, blob.length);
 	buf->dynamic += blob.length;
 
-	buf->size += blob.length + padding_length;
-	buf->body_size += blob.length + padding_length;
+	buf->size += blob.length + padding_length - padding_fix;
+	buf->body_size += blob.length + padding_length - padding_fix;
 
 	return NT_STATUS_OK;
 }
@@ -419,6 +434,7 @@
 	NTSTATUS status;
 	size_t offset;
 	size_t padding_length;
+	size_t padding_fix;
 	uint8_t *ptr = buf->body+ofs;
 
 	if (buf->dynamic == NULL) {
@@ -439,6 +455,7 @@
 	offset = buf->dynamic - buf->hdr;
 	padding_length = smb2_padding_size(offset, 8);
 	offset += padding_length;
+	padding_fix = smb2_padding_fix(buf);
 
 	SIVAL(ptr, 0, blob.length);
 	SIVAL(ptr, 4, offset);
@@ -452,8 +469,8 @@
 	memcpy(buf->dynamic, blob.data, blob.length);
 	buf->dynamic += blob.length;
 
-	buf->size += blob.length + padding_length;
-	buf->body_size += blob.length + padding_length;
+	buf->size += blob.length + padding_length - padding_fix;
+	buf->body_size += blob.length + padding_length - padding_fix;
 
 	return NT_STATUS_OK;
 }

Modified: branches/SAMBA_4_0/source/libcli/smb2/smb2.h
===================================================================
--- branches/SAMBA_4_0/source/libcli/smb2/smb2.h	2006-06-29 22:44:04 UTC (rev 16704)
+++ branches/SAMBA_4_0/source/libcli/smb2/smb2.h	2006-06-29 23:11:07 UTC (rev 16705)
@@ -87,6 +87,7 @@
 	
 	/* the packet body */
 	uint8_t *body;
+	size_t body_fixed;
 	size_t body_size;
 
 	/* this point to the next dynamic byte that can be used

Modified: branches/SAMBA_4_0/source/libcli/smb2/transport.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/smb2/transport.c	2006-06-29 22:44:04 UTC (rev 16704)
+++ branches/SAMBA_4_0/source/libcli/smb2/transport.c	2006-06-29 23:11:07 UTC (rev 16705)
@@ -193,10 +193,11 @@
 	}
 
 	buffer_code = SVAL(req->in.body, 0);
+	req->in.body_fixed = (buffer_code & ~1);
 	req->in.dynamic = NULL;
-	dynamic_size = req->in.body_size - (buffer_code & ~1);
+	dynamic_size = req->in.body_size - req->in.body_fixed;
 	if (dynamic_size != 0 && (buffer_code & 1)) {
-		req->in.dynamic = req->in.body + (buffer_code & ~1);
+		req->in.dynamic = req->in.body + req->in.body_fixed;
 		if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
 			DEBUG(1,("SMB2 request invalid dynamic size 0x%x\n", 
 				 dynamic_size));

Modified: branches/SAMBA_4_0/source/smb_server/smb2/receive.c
===================================================================
--- branches/SAMBA_4_0/source/smb_server/smb2/receive.c	2006-06-29 22:44:04 UTC (rev 16704)
+++ branches/SAMBA_4_0/source/smb_server/smb2/receive.c	2006-06-29 23:11:07 UTC (rev 16705)
@@ -60,6 +60,7 @@
 
 	req->out.hdr		= req->out.buffer	+ NBT_HDR_SIZE;
 	req->out.body		= req->out.hdr		+ SMB2_HDR_BODY;
+	req->out.body_fixed	= body_fixed_size;
 	req->out.body_size	= body_fixed_size;
 	req->out.dynamic	= (body_dynamic_size ? req->out.body + body_fixed_size : NULL);
 
@@ -294,10 +295,11 @@
 	req->in.dynamic 	= NULL;
 
 	buffer_code		= SVAL(req->in.body, 0);
-	dynamic_size		= req->in.body_size - (buffer_code & ~1);
+	req->in.body_fixed	= (buffer_code & ~1);
+	dynamic_size		= req->in.body_size - req->in.body_fixed;
 
 	if (dynamic_size != 0 && (buffer_code & 1)) {
-		req->in.dynamic = req->in.body + (buffer_code & ~1);
+		req->in.dynamic = req->in.body + req->in.body_fixed;
 		if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
 			DEBUG(1,("SMB2 request invalid dynamic size 0x%x\n", 
 				 dynamic_size));

More information about the samba-cvs mailing list