svn commit: samba r22050 - in branches: SAMBA_3_0/source/lib
SAMBA_3_0/source/smbd SAMBA_3_0_25/source/lib
SAMBA_3_0_25/source/smbd
jra at samba.org
jra at samba.org
Tue Apr 3 04:52:10 GMT 2007
Author: jra
Date: 2007-04-03 04:52:09 +0000 (Tue, 03 Apr 2007)
New Revision: 22050
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22050
Log:
Fix a couple of off-by-one errors in the rap
call patch. Jerry, this works now for displaying
shares on Win9x (and hopefully everything else
as well :-).
Jeremy.
Modified:
branches/SAMBA_3_0/source/lib/util.c
branches/SAMBA_3_0/source/smbd/lanman.c
branches/SAMBA_3_0_25/source/lib/util.c
branches/SAMBA_3_0_25/source/smbd/lanman.c
Changeset:
Modified: branches/SAMBA_3_0/source/lib/util.c
===================================================================
--- branches/SAMBA_3_0/source/lib/util.c 2007-04-02 23:07:06 UTC (rev 22049)
+++ branches/SAMBA_3_0/source/lib/util.c 2007-04-03 04:52:09 UTC (rev 22050)
@@ -3127,6 +3127,8 @@
/****************************************************************
Check if an offset into a buffer is safe.
+ If this returns True it's safe to indirect into the byte at
+ pointer ptr+off.
****************************************************************/
BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
@@ -3180,10 +3182,14 @@
int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) {
+ /*
+ * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
+ * NOT ptr[2].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
return failval;
}
- return SVAL(ptr,0);
+ return SVAL(ptr,off);
}
/****************************************************************
@@ -3192,8 +3198,12 @@
int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) {
+ /*
+ * Note we use off+3 here, not off+4 as IVAL accesses
+ * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
return failval;
}
- return IVAL(ptr,0);
+ return IVAL(ptr,off);
}
Modified: branches/SAMBA_3_0/source/smbd/lanman.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/lanman.c 2007-04-02 23:07:06 UTC (rev 22049)
+++ branches/SAMBA_3_0/source/smbd/lanman.c 2007-04-03 04:52:09 UTC (rev 22050)
@@ -2365,7 +2365,11 @@
memset(pass1,'\0',sizeof(pass1));
memset(pass2,'\0',sizeof(pass2));
- if (!is_offset_safe(param,tpscnt,p,32)) {
+ /*
+ * We use 31 here not 32 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,31)) {
return False;
}
memcpy(pass1,p,16);
@@ -2537,7 +2541,11 @@
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
@@ -2701,7 +2709,11 @@
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
Modified: branches/SAMBA_3_0_25/source/lib/util.c
===================================================================
--- branches/SAMBA_3_0_25/source/lib/util.c 2007-04-02 23:07:06 UTC (rev 22049)
+++ branches/SAMBA_3_0_25/source/lib/util.c 2007-04-03 04:52:09 UTC (rev 22050)
@@ -3115,6 +3115,8 @@
/****************************************************************
Check if an offset into a buffer is safe.
+ If this returns True it's safe to indirect into the byte at
+ pointer ptr+off.
****************************************************************/
BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
@@ -3168,10 +3170,14 @@
int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) {
+ /*
+ * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
+ * NOT ptr[2].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
return failval;
}
- return SVAL(ptr,0);
+ return SVAL(ptr,off);
}
/****************************************************************
@@ -3180,8 +3186,12 @@
int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
{
- if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) {
+ /*
+ * Note we use off+3 here, not off+4 as IVAL accesses
+ * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
+ */
+ if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
return failval;
}
- return IVAL(ptr,0);
+ return IVAL(ptr,off);
}
Modified: branches/SAMBA_3_0_25/source/smbd/lanman.c
===================================================================
--- branches/SAMBA_3_0_25/source/smbd/lanman.c 2007-04-02 23:07:06 UTC (rev 22049)
+++ branches/SAMBA_3_0_25/source/smbd/lanman.c 2007-04-03 04:52:09 UTC (rev 22050)
@@ -2364,7 +2364,11 @@
memset(pass1,'\0',sizeof(pass1));
memset(pass2,'\0',sizeof(pass2));
- if (!is_offset_safe(param,tpscnt,p,32)) {
+ /*
+ * We use 31 here not 32 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,31)) {
return False;
}
memcpy(pass1,p,16);
@@ -2536,7 +2540,11 @@
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
@@ -2700,7 +2708,11 @@
if (!str1 || !str2 || !p) {
return False;
}
- if (!is_offset_safe(param,tpscnt,p,2)) {
+ /*
+ * We use 1 here not 2 as we're checking
+ * the last byte we want to access is safe.
+ */
+ if (!is_offset_safe(param,tpscnt,p,1)) {
return False;
}
if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
More information about the samba-cvs
mailing list