[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu May 13 17:01:31 MDT 2010
The branch, master has been updated
via 056f24c... Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
from 49c8c13... s4:domainlevel - handle exceptions more precisely
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 056f24ce24ab395cb6fff15cb068c8d8b1affef9
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 13 15:59:09 2010 -0700
Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
The end_data argument to smbd_dirptr_lanman2_entry() must include
the safety margin, as internally it's actually used to allow detection
of string name pushes that were truncated. Ensure space_remaining can
never go negative due to padding.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/smb2_find.c | 6 +++++-
source3/smbd/trans2.c | 10 ++++++++++
2 files changed, 15 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 66be756..6690adc 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
state->out_output_buffer.length = 0;
pdata = (char *)state->out_output_buffer.data;
base_data = pdata;
- end_data = pdata + in_output_buffer_length;
+ /*
+ * end_data must include the safety margin as it's what is
+ * used to determine if pushed strings have been truncated.
+ */
+ end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1;
last_entry_off = 0;
off = 0;
num = 0;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7f..3fa737f 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
off = (int)PTR_DIFF(pdata, base_data);
pad = (off + (align-1)) & ~(align-1);
pad -= off;
+
+ if (pad && pad > space_remaining) {
+ *out_of_space = true;
+ DEBUG(9,("smbd_marshall_dir_entry: out of space "
+ "for padding (wanted %u, had %d)\n",
+ (unsigned int)pad,
+ space_remaining ));
+ return false; /* Not finished - just out of space */
+ }
+
off += pad;
/* initialize padding to 0 */
if (pad) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list