[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-685-g0985289
Jeremy Allison
jra at samba.org
Tue Apr 8 04:12:03 GMT 2008
The branch, v3-2-test has been updated
via 09852899cadc48abe2f2651ecbceaf881198e648 (commit)
from a4e3bc2bade8bf74696e1c6ced74da563ff2df7b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 09852899cadc48abe2f2651ecbceaf881198e648
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 7 21:11:16 2008 -0700
Rewrite the wrap checks to deal with gcc 4.x optimisations.
Karolin, please pull once Volker has reviewed. Thanks.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/smbd/ipc.c | 78 +++++++++++++++++++++++++------------------
source/smbd/nttrans.c | 89 ++++++++++++++++++++++++++++---------------------
source/smbd/trans2.c | 76 +++++++++++++++++++++++++----------------
3 files changed, 142 insertions(+), 101 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 68a13d6..6961a5c 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -498,7 +498,8 @@ void reply_trans(struct smb_request *req)
unsigned int pscnt;
struct trans_state *state;
NTSTATUS result;
- int size;
+ unsigned int size;
+ unsigned int av_size;
START_PROFILE(SMBtrans);
@@ -509,6 +510,7 @@ void reply_trans(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
+ av_size = smb_len(req->inbuf);
dsoff = SVAL(req->inbuf, smb_dsoff);
dscnt = SVAL(req->inbuf, smb_dscnt);
psoff = SVAL(req->inbuf, smb_psoff);
@@ -567,12 +569,17 @@ void reply_trans(struct smb_request *req)
}
/* null-terminate the slack space */
memset(&state->data[state->total_data], 0, 100);
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+dsoff+dscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
goto bad_param;
+ }
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@@ -592,12 +599,17 @@ void reply_trans(struct smb_request *req)
}
/* null-terminate the slack space */
memset(&state->param[state->total_param], 0, 100);
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+psoff+pscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@@ -675,7 +687,7 @@ void reply_transs(struct smb_request *req)
connection_struct *conn = req->conn;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
- int size;
+ unsigned int av_size;
START_PROFILE(SMBtranss);
@@ -708,7 +720,7 @@ void reply_transs(struct smb_request *req)
if (SVAL(req->inbuf, smb_vwv1) < state->total_data)
state->total_data = SVAL(req->inbuf,smb_vwv1);
- size = smb_len(req->inbuf) + 4;
+ av_size = smb_len(req->inbuf);
pcnt = SVAL(req->inbuf, smb_spscnt);
poff = SVAL(req->inbuf, smb_spsoff);
@@ -726,38 +738,38 @@ void reply_transs(struct smb_request *req)
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (pdisp > state->total_param)
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if ((smb_base(req->inbuf) + poff + pcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + poff + pcnt
- < smb_base(req->inbuf)))
- goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(req->inbuf) + doff + dcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + doff + dcnt
- < smb_base(req->inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 05c0957..e8dae70 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2557,14 +2557,15 @@ static void handle_nttrans(connection_struct *conn,
void reply_nttrans(struct smb_request *req)
{
connection_struct *conn = req->conn;
- uint32 pscnt;
- uint32 psoff;
- uint32 dscnt;
- uint32 dsoff;
+ uint32_t pscnt;
+ uint32_t psoff;
+ uint32_t dscnt;
+ uint32_t dsoff;
uint16 function_code;
NTSTATUS result;
struct trans_state *state;
- int size;
+ uint32_t size;
+ uint32_t av_size;
START_PROFILE(SMBnttrans);
@@ -2575,6 +2576,7 @@ void reply_nttrans(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
+ av_size = smb_len(req->inbuf);
pscnt = IVAL(req->inbuf,smb_nt_ParameterCount);
psoff = IVAL(req->inbuf,smb_nt_ParameterOffset);
dscnt = IVAL(req->inbuf,smb_nt_DataCount);
@@ -2650,12 +2652,17 @@ void reply_nttrans(struct smb_request *req)
END_PROFILE(SMBnttrans);
return;
}
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+dsoff+dscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
goto bad_param;
+ }
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@@ -2672,12 +2679,17 @@ void reply_nttrans(struct smb_request *req)
END_PROFILE(SMBnttrans);
return;
}
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+psoff+pscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@@ -2749,10 +2761,10 @@ void reply_nttrans(struct smb_request *req)
void reply_nttranss(struct smb_request *req)
{
connection_struct *conn = req->conn;
- unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
+ uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
-
- int size;
+ uint32_t av_size;
+ uint32_t size;
START_PROFILE(SMBnttranss);
@@ -2789,6 +2801,7 @@ void reply_nttranss(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
+ av_size = smb_len(req->inbuf);
pcnt = IVAL(req->inbuf,smb_nts_ParameterCount);
poff = IVAL(req->inbuf, smb_nts_ParameterOffset);
@@ -2806,38 +2819,38 @@ void reply_nttranss(struct smb_request *req)
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (pdisp > state->total_param)
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if ((smb_base(req->inbuf) + poff + pcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + poff + pcnt
- < smb_base(req->inbuf)))
- goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(req->inbuf) + doff + dcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + doff + dcnt
- < smb_base(req->inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 05e8375..709eb39 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -7468,7 +7468,8 @@ void reply_trans2(struct smb_request *req)
unsigned int psoff;
unsigned int pscnt;
unsigned int tran_call;
- int size;
+ unsigned int size;
+ unsigned int av_size;
struct trans_state *state;
NTSTATUS result;
@@ -7486,6 +7487,7 @@ void reply_trans2(struct smb_request *req)
pscnt = SVAL(req->inbuf, smb_pscnt);
tran_call = SVAL(req->inbuf, smb_setup0);
size = smb_len(req->inbuf) + 4;
+ av_size = smb_len(req->inbuf);
result = allow_new_trans(conn->pending_trans, req->mid);
if (!NT_STATUS_IS_OK(result)) {
@@ -7578,12 +7580,17 @@ void reply_trans2(struct smb_request *req)
END_PROFILE(SMBtrans2);
return;
}
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+dsoff+dscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
goto bad_param;
+ }
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@@ -7601,12 +7608,17 @@ void reply_trans2(struct smb_request *req)
END_PROFILE(SMBtrans2);
return;
}
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(req->inbuf)+psoff+pscnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@@ -7655,7 +7667,8 @@ void reply_transs2(struct smb_request *req)
connection_struct *conn = req->conn;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
- int size;
+ unsigned int size;
+ unsigned int av_size;
START_PROFILE(SMBtranss2);
@@ -7668,6 +7681,7 @@ void reply_transs2(struct smb_request *req)
}
size = smb_len(req->inbuf)+4;
+ av_size = smb_len(req->inbuf);
for (state = conn->pending_trans; state != NULL;
state = state->next) {
@@ -7706,36 +7720,38 @@ void reply_transs2(struct smb_request *req)
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (pdisp > state->total_param)
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if ((smb_base(req->inbuf) + poff + pcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + poff + pcnt < smb_base(req->inbuf)))
- goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(req->inbuf) + doff + dcnt
- > (char *)req->inbuf + size) ||
- (smb_base(req->inbuf) + doff + dcnt < smb_base(req->inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);
--
Samba Shared Repository
More information about the samba-cvs
mailing list