[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-158-g2d3ff9c

Jeremy Allison jra at samba.org
Fri Nov 2 05:31:24 GMT 2007 

The branch, v3-2-test has been updated
       via  2d3ff9c502105f92720131355b41e48be8d656c2 (commit)
      from  1c71546b6152d2930b98f766311bbd161ee0ee4e (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit 2d3ff9c502105f92720131355b41e48be8d656c2
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Nov 1 22:24:39 2007 -0700

    Be careful and take care of the correct lengths in large
    writeX calls.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/smbd/reply.c |   16 +++++++---------
 1 files changed, 7 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index d4f3f1f..c83066d 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -3912,7 +3912,6 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 	unsigned int smb_doff;
 	unsigned int smblen;
 	char *data;
-	bool large_writeX;
 	NTSTATUS status;
 
 	START_PROFILE(SMBwriteX);
@@ -3926,12 +3925,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 	numtowrite = SVAL(req->inbuf,smb_vwv10);
 	smb_doff = SVAL(req->inbuf,smb_vwv11);
 	smblen = smb_len(req->inbuf);
-	large_writeX = (req->wct == 14 &&
-			(smblen > 0xFFFF || req->unread_bytes > 0xFFFF));
 
-	/* Deal with possible LARGE_WRITEX */
-	if (large_writeX) {
-		numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16);
+	if (req->unread_bytes > 0xFFFF ||
+			(smblen > smb_doff + 4 &&
+				smblen - smb_doff + 4 > 0xFFFF)) {
+		numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16);
 	}
 
 	if (req->unread_bytes) {
@@ -3941,7 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 			return;
 		}
 	} else {
-		if (smb_doff > smblen || smb_doff + numtowrite > smblen) {
+		if (smb_doff + 4 > smblen || smb_doff + 4 + numtowrite < numtowrite ||
+				smb_doff + 4 + numtowrite > smblen) {
 			reply_doserror(req, ERRDOS, ERRbadmem);
 			END_PROFILE(SMBwriteX);
 			return;
@@ -4032,8 +4031,7 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 
 	reply_outbuf(req, 6, 0);
 	SSVAL(req->outbuf,smb_vwv2,nwritten);
-	if (large_writeX)
-		SSVAL(req->outbuf,smb_vwv4,(nwritten>>16)&1);
+	SSVAL(req->outbuf,smb_vwv4,nwritten>>16);
 
 	if (nwritten < (ssize_t)numtowrite) {
 		SCVAL(req->outbuf,smb_rcls,ERRHRD);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list