[SCM] Samba Shared Repository - branch v3-6-test updated
Jeremy Allison
jra at samba.org
Thu Oct 7 13:09:21 MDT 2010
The branch, v3-6-test has been updated
via 27191b4 s3: Fix the async echo responder for netbios keepalives
from 547fbb3 samr: for correctness, rename samr_RidTypeArray to samr_RidAttrArray.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 27191b4ea1a35663a2d93f8076be59a78fab4948
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 18:24:13 2010 +0200
s3: Fix the async echo responder for netbios keepalives
This fixes a crash in the echo responder when the client started to send the
NetBIOS-Level 0x85-style keepalive packets. We did not correctly check the
packet length, so the code writing the signing seqnum overwrote memory after
the malloc'ed area for the 4 byte keepalive packet.
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/process.c | 33 +++++++++++++++++++++++----------
1 files changed, 23 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index bb927ef..1980a45 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2583,6 +2583,14 @@ static bool smbd_echo_reply(int fd,
char *outbuf;
bool ok;
+ if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
+ DEBUG(10, ("Got netbios keepalive\n"));
+ /*
+ * Just swallow it
+ */
+ return true;
+ }
+
if (inbuf_len < smb_size) {
DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
return false;
@@ -2720,13 +2728,6 @@ static void smbd_echo_reader(struct tevent_context *ev,
exit(1);
}
- /*
- * place the seqnum in the packet so that the main process can reply
- * with signing
- */
- SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum);
- SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
-
reply = smbd_echo_reply(smbd_server_fd(),
(uint8_t *)state->pending[num_pending].iov_base,
state->pending[num_pending].iov_len,
@@ -2737,10 +2738,22 @@ static void smbd_echo_reader(struct tevent_context *ev,
state->pending = talloc_realloc(state, state->pending,
struct iovec,
num_pending);
- } else {
- DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
- smbd_echo_activate_writer(state);
+ return;
+ }
+
+ if (state->pending[num_pending].iov_len >= smb_size) {
+ /*
+ * place the seqnum in the packet so that the main process
+ * can reply with signing
+ */
+ SIVAL((uint8_t *)state->pending[num_pending].iov_base,
+ smb_ss_field, seqnum);
+ SIVAL((uint8_t *)state->pending[num_pending].iov_base,
+ smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
}
+
+ DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
+ smbd_echo_activate_writer(state);
}
static void smbd_echo_loop(struct smbd_server_connection *sconn,
--
Samba Shared Repository
More information about the samba-cvs
mailing list