svn commit: samba r23752 - in branches: SAMBA_3_0/source/smbd SAMBA_3_0_26/source/smbd

[jra at samba.org]

Author: jra
Date: 2007-07-09 00:48:07 +0000 (Mon, 09 Jul 2007)
New Revision: 23752

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23752

Log:
Fix bug introduced by checkin 22920, allow large
readX. Fix from Dmitry Shatrov <dhsatrov at linux.vnet.ibm.com>.

"In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
to an invalid large value due to integer overflow.
As for me, this resulted in MS Word hanging while trying to save
a 1.5Mb document."

This isn't in shipping code.

Jeremy.


Modified:
   branches/SAMBA_3_0/source/smbd/reply.c
   branches/SAMBA_3_0_26/source/smbd/reply.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/reply.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/reply.c	2007-07-08 22:01:43 UTC (rev 23751)
+++ branches/SAMBA_3_0/source/smbd/reply.c	2007-07-09 00:48:07 UTC (rev 23752)
@@ -2590,9 +2590,7 @@
 
 	if (startpos > sbuf.st_size) {
 		smb_maxcnt = 0;
-	}
-
-	if (smb_maxcnt > (sbuf.st_size - startpos)) {
+	} else if (smb_maxcnt > (sbuf.st_size - startpos)) {
 		smb_maxcnt = (sbuf.st_size - startpos);
 	}
 

Modified: branches/SAMBA_3_0_26/source/smbd/reply.c
===================================================================
--- branches/SAMBA_3_0_26/source/smbd/reply.c	2007-07-08 22:01:43 UTC (rev 23751)
+++ branches/SAMBA_3_0_26/source/smbd/reply.c	2007-07-09 00:48:07 UTC (rev 23752)
@@ -2590,9 +2590,7 @@
 
 	if (startpos > sbuf.st_size) {
 		smb_maxcnt = 0;
-	}
-
-	if (smb_maxcnt > (sbuf.st_size - startpos)) {
+	} else if (smb_maxcnt > (sbuf.st_size - startpos)) {
 		smb_maxcnt = (sbuf.st_size - startpos);
 	}