[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-843-g3854b5e
Andrew Tridgell
tridge at samba.org
Wed Aug 5 04:24:28 MDT 2009
The branch, master has been updated
via 3854b5e6146ff8efeb4379a502bb083cbaa05ce4 (commit)
via 67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44 (commit)
from cc74f213248f910c1c7908b23be07485752e85b9 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3854b5e6146ff8efeb4379a502bb083cbaa05ce4
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Aug 5 20:23:12 2009 +1000
changed BCC handling for SMBwriteX to handle broken MacOSX client
see bug #6610
The MacOSX SMB client sets the BCC value in SMBwriteX calls to zero
instead of the correct size. Checking against WindowsXP, I've found
that Windows uses the maximum of the computed buffer size and the
given BCC value. I've changed Samba4 to do the same to allow MacOSX to
work.
I've limited this change to non-chained packets to ensure we don't get
the possibility of exploits based on overlapping chained requests
commit 67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Aug 5 20:19:36 2009 +1000
on buffer overflow windows gives SMBSRV:ERRerror here
-----------------------------------------------------------------------
Summary of changes:
source4/smb_server/smb/receive.c | 21 ++++++++-------------
source4/smb_server/smb/reply.c | 2 +-
2 files changed, 9 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c
index 03631f8..9a03909 100644
--- a/source4/smb_server/smb/receive.c
+++ b/source4/smb_server/smb/receive.c
@@ -407,19 +407,14 @@ NTSTATUS smbsrv_recv_smb_request(void *private_data, DATA_BLOB blob)
req->in.data = req->in.vwv + VWV(req->in.wct) + 2;
req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct));
- /* the bcc length is only 16 bits, but some packets
- (such as SMBwriteX) can be much larger than 64k. We
- detect this by looking for a large non-chained NBT
- packet (at least 64k bigger than what is
- specified). If it is detected then the NBT size is
- used instead of the bcc size */
- if (req->in.data_size + 0x10000 <=
- req->in.size - PTR_DIFF(req->in.data, req->in.buffer) &&
- ( message_flags(command) & LARGE_REQUEST) &&
- ( !(message_flags(command) & AND_X) ||
- (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE) )
- ) {
- /* its an oversized packet! fun for all the family */
+ /* special handling for oversize calls. Windows seems
+ to take the maximum of the BCC value and the
+ computed buffer size. This handles oversized writeX
+ calls, and possibly oversized SMBtrans calls */
+ if ((message_flags(command) & LARGE_REQUEST) &&
+ ( !(message_flags(command) & AND_X) ||
+ (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) &&
+ req->in.data_size < req->in.size - PTR_DIFF(req->in.data,req->in.buffer)) {
req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer);
}
}
diff --git a/source4/smb_server/smb/reply.c b/source4/smb_server/smb/reply.c
index 0433d35..104caca 100644
--- a/source4/smb_server/smb/reply.c
+++ b/source4/smb_server/smb/reply.c
@@ -1063,7 +1063,7 @@ void smbsrv_reply_write_and_X(struct smbsrv_request *req)
/* make sure the data is in bounds */
if (req_data_oob(&req->in.bufinfo, io->writex.in.data, io->writex.in.count)) {
- smbsrv_send_error(req, NT_STATUS_FOOBAR);
+ smbsrv_send_error(req, NT_STATUS_DOS(ERRSRV, ERRerror));
return;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list