[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu May 13 17:01:31 MDT 2010 

The branch, master has been updated
       via  056f24c... Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
      from  49c8c13... s4:domainlevel - handle exceptions more precisely

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 056f24ce24ab395cb6fff15cb068c8d8b1affef9
Author: Jeremy Allison <jra at samba.org>
Date:   Thu May 13 15:59:09 2010 -0700

    Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
    
    The end_data argument to smbd_dirptr_lanman2_entry() must include
    the safety margin, as internally it's actually used to allow detection
    of string name pushes that were truncated. Ensure space_remaining can
    never go negative due to padding.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_find.c |    6 +++++-
 source3/smbd/trans2.c    |   10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 66be756..6690adc 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 	state->out_output_buffer.length = 0;
 	pdata = (char *)state->out_output_buffer.data;
 	base_data = pdata;
-	end_data = pdata + in_output_buffer_length;
+	/*
+	 * end_data must include the safety margin as it's what is
+	 * used to determine if pushed strings have been truncated.
+	 */
+	end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1;
 	last_entry_off = 0;
 	off = 0;
 	num = 0;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7f..3fa737f 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 	off = (int)PTR_DIFF(pdata, base_data);
 	pad = (off + (align-1)) & ~(align-1);
 	pad -= off;
+
+	if (pad && pad > space_remaining) {
+		*out_of_space = true;
+		DEBUG(9,("smbd_marshall_dir_entry: out of space "
+			"for padding (wanted %u, had %d)\n",
+			(unsigned int)pad,
+			space_remaining ));
+		return false; /* Not finished - just out of space */
+	}
+
 	off += pad;
 	/* initialize padding to 0 */
 	if (pad) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list