svn commit: samba r21731 - in branches: SAMBA_3_0/source/smbd
SAMBA_3_0_25/source/smbd
jra at samba.org
jra at samba.org
Wed Mar 7 01:28:20 GMT 2007
Author: jra
Date: 2007-03-07 01:28:19 +0000 (Wed, 07 Mar 2007)
New Revision: 21731
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21731
Log:
Fix long-standing bug in our chain processing code.
Should fix a bug with WinPE. Probably a candidate
for the Vista patchset.
Jeremy.
Modified:
branches/SAMBA_3_0/source/smbd/process.c
branches/SAMBA_3_0_25/source/smbd/process.c
Changeset:
Modified: branches/SAMBA_3_0/source/smbd/process.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/process.c 2007-03-06 23:23:15 UTC (rev 21730)
+++ branches/SAMBA_3_0/source/smbd/process.c 2007-03-07 01:28:19 UTC (rev 21731)
@@ -1148,6 +1148,7 @@
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
char *inbuf2, *outbuf2;
int outsize2;
+ int new_size;
char inbuf_saved[smb_wct];
char outbuf_saved[smb_wct];
int outsize = smb_len(outbuf) + 4;
@@ -1198,6 +1199,20 @@
/* create the in buffer */
SCVAL(inbuf2,smb_com,smb_com2);
+ /* work out the new size for the in buffer. */
+ new_size = size - (inbuf2 - inbuf);
+ if (new_size < 0) {
+ DEBUG(0,("chain_reply: chain packet size incorrect (orig size = %d, "
+ "offset = %d)\n",
+ size,
+ (inbuf2 - inbuf) ));
+ exit_server_cleanly("Bad chained packet");
+ return(-1);
+ }
+
+ /* And set it in the header. */
+ smb_setlen(inbuf2, new_size);
+
/* create the out buffer */
construct_reply_common(inbuf2, outbuf2);
@@ -1205,7 +1220,7 @@
show_msg(inbuf2);
/* process the request */
- outsize2 = switch_message(smb_com2,inbuf2,outbuf2,size-chain_size,
+ outsize2 = switch_message(smb_com2,inbuf2,outbuf2,new_size,
bufsize-chain_size);
/* copy the new reply and request headers over the old ones, but
@@ -1219,8 +1234,10 @@
{
int ofs = smb_wct - PTR_DIFF(outbuf2,orig_outbuf);
- if (ofs < 0) ofs = 0;
- memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
+ if (ofs < 0) {
+ ofs = 0;
+ }
+ memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
}
return outsize2;
Modified: branches/SAMBA_3_0_25/source/smbd/process.c
===================================================================
--- branches/SAMBA_3_0_25/source/smbd/process.c 2007-03-06 23:23:15 UTC (rev 21730)
+++ branches/SAMBA_3_0_25/source/smbd/process.c 2007-03-07 01:28:19 UTC (rev 21731)
@@ -1148,6 +1148,7 @@
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
char *inbuf2, *outbuf2;
int outsize2;
+ int new_size;
char inbuf_saved[smb_wct];
char outbuf_saved[smb_wct];
int outsize = smb_len(outbuf) + 4;
@@ -1198,6 +1199,20 @@
/* create the in buffer */
SCVAL(inbuf2,smb_com,smb_com2);
+ /* work out the new size for the in buffer. */
+ new_size = size - (inbuf2 - inbuf);
+ if (new_size < 0) {
+ DEBUG(0,("chain_reply: chain packet size incorrect (orig size = %d, "
+ "offset = %d)\n",
+ size,
+ (inbuf2 - inbuf) ));
+ exit_server_cleanly("Bad chained packet");
+ return(-1);
+ }
+
+ /* And set it in the header. */
+ smb_setlen(inbuf2, new_size);
+
/* create the out buffer */
construct_reply_common(inbuf2, outbuf2);
@@ -1205,7 +1220,7 @@
show_msg(inbuf2);
/* process the request */
- outsize2 = switch_message(smb_com2,inbuf2,outbuf2,size-chain_size,
+ outsize2 = switch_message(smb_com2,inbuf2,outbuf2,new_size,
bufsize-chain_size);
/* copy the new reply and request headers over the old ones, but
@@ -1219,8 +1234,10 @@
{
int ofs = smb_wct - PTR_DIFF(outbuf2,orig_outbuf);
- if (ofs < 0) ofs = 0;
- memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
+ if (ofs < 0) {
+ ofs = 0;
+ }
+ memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
}
return outsize2;
More information about the samba-cvs
mailing list