[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Apr 29 14:41:38 MDT 2010 

The branch, master has been updated
       via  1f69a7a... Attempt to fix bug #7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
      from  ca860e4... s3: range-check idmap script output

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1f69a7a80eb9057498a4805b883158dc1ce25901
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Apr 29 13:40:25 2010 -0700

    Attempt to fix bug #7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
    
    Based on an initial patch from Ira Cooper <samba at ira.wakeful.net>.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_find.c |   26 ++++++++++++++++++++++----
 source3/smbd/trans2.c    |   23 +++++++++++++++++------
 2 files changed, 39 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 546aed8..66be756 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -89,6 +89,17 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 	}
 
+	/* The output header is 8 bytes. */
+	if (in_output_buffer_length <= 8) {
+		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+	}
+
+	DEBUG(10,("smbd_smb2_request_find_done: in_output_buffer_length = %u\n",
+		(unsigned int)in_output_buffer_length ));
+
+	/* Take into account the output header. */
+	in_output_buffer_length -= 8;
+
 	in_file_name_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
 	in_file_name_buffer.length = in_file_name_length;
 
@@ -172,6 +183,9 @@ static void smbd_smb2_request_find_done(struct tevent_req *subreq)
 	SIVAL(outbody.data, 0x04,
 	      out_output_buffer.length);	/* output buffer length */
 
+	DEBUG(10,("smbd_smb2_request_find_done: out_output_buffer.length = %u\n",
+		(unsigned int)out_output_buffer.length ));
+
 	outdyn = out_output_buffer;
 
 	error = smbd_smb2_request_done(req, outbody, &outdyn);
@@ -210,7 +224,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 	char *base_data;
 	char *end_data;
 	int last_entry_off = 0;
-	uint64_t off = 0;
+	int off = 0;
 	uint32_t num = 0;
 	uint32_t dirtype = aHIDDEN | aSYSTEM | aDIR;
 	const char *directory;
@@ -364,8 +378,10 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 	off = 0;
 	num = 0;
 
-	DEBUG(8,("smbd_smb2_find_send: dirpath=<%s> dontdescend=<%s>\n",
-		directory, lp_dontdescend(SNUM(conn))));
+	DEBUG(8,("smbd_smb2_find_send: dirpath=<%s> dontdescend=<%s>, "
+		"in_output_buffer_length = %u\n",
+		directory, lp_dontdescend(SNUM(conn)),
+		(unsigned int)in_output_buffer_length ));
 	if (in_list(directory,lp_dontdescend(SNUM(conn)),conn->case_sensitive)) {
 		dont_descend = true;
 	}
@@ -380,6 +396,8 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 		bool out_of_space = false;
 		int space_remaining = in_output_buffer_length - off;
 
+		SMB_ASSERT(space_remaining >= 0);
+
 		ok = smbd_dirptr_lanman2_entry(state,
 					       conn,
 					       fsp->dptr,
@@ -401,7 +419,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 					       &last_entry_off,
 					       NULL);
 
-		off = PTR_DIFF(pdata, base_data);
+		off = (int)PTR_DIFF(pdata, base_data);
 
 		if (!ok) {
 			if (num > 0) {
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 4dff673..102b41f 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1464,7 +1464,7 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 				    uint32_t mode,
 				    const char *fname,
 				    const struct smb_filename *smb_fname,
-				    uint64_t space_remaining,
+				    int space_remaining,
 				    uint8_t align,
 				    bool do_pad,
 				    char *base_data,
@@ -1484,8 +1484,8 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 	char *nameptr;
 	char *last_entry_ptr;
 	bool was_8_3;
-	off_t off;
-	off_t pad = 0;
+	int off;
+	int pad = 0;
 
 	*out_of_space = false;
 
@@ -1517,7 +1517,9 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 	c_date = convert_timespec_to_time_t(cdate_ts);
 
 	/* align the record */
-	off = PTR_DIFF(pdata, base_data);
+	SMB_ASSERT(align >= 1);
+
+	off = (int)PTR_DIFF(pdata, base_data);
 	pad = (off + (align-1)) & ~(align-1);
 	pad -= off;
 	off += pad;
@@ -1527,6 +1529,9 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 	}
 	space_remaining -= pad;
 
+	DEBUG(10,("smbd_marshall_dir_entry: space_remaining = %d\n",
+		space_remaining ));
+
 	pdata += pad;
 	p = pdata;
 	last_entry_ptr = p;
@@ -1641,7 +1646,10 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 		/* Max string size is 255 bytes. */
 		if (PTR_DIFF(p + 255 + ea_len,pdata) > space_remaining) {
 			*out_of_space = true;
-			DEBUG(9,("smbd_marshall_dir_entry: out of space\n"));
+			DEBUG(9,("smbd_marshall_dir_entry: out of space "
+				"(wanted %u, had %d)\n",
+				(unsigned int)PTR_DIFF(p + 255 + ea_len,pdata),
+				space_remaining ));
 			return False; /* Not finished - just out of space */
 		}
 
@@ -2021,7 +2029,10 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 
 	if (PTR_DIFF(p,pdata) > space_remaining) {
 		*out_of_space = true;
-		DEBUG(9,("smbd_marshall_dir_entry: out of space\n"));
+		DEBUG(9,("smbd_marshall_dir_entry: out of space "
+			"(wanted %u, had %d)\n",
+			(unsigned int)PTR_DIFF(p,pdata),
+			space_remaining ));
 		return false; /* Not finished - just out of space */
 	}
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list