[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Sun Aug 14 00:49:01 MDT 2011 

The branch, master has been updated
       via  1022c28 s3: Fix bug 8360
      from  d2d2e7a s3-passdb: Fix python < 2.6 build errors in passdb python wrapper

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1022c28e15acfc68aedc8b6853417d2f1f357f2a
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Aug 11 16:52:22 2011 +0200

    s3: Fix bug 8360
    
    OS/2 sends an unexpected write&x/read&x chain
    
    Autobuild-User: Volker Lendecke <vlendec at samba.org>
    Autobuild-Date: Sun Aug 14 08:48:58 CEST 2011 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/process.c |   23 ++++++++++++++++-------
 1 files changed, 16 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index f542dcd..6d391df 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2025,15 +2025,24 @@ void chain_reply(struct smb_request *req)
 	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
 
 	/*
-	 * Check if the client tries to fool us. The request so far uses the
-	 * space to the end of the byte buffer in the request just
-	 * processed. The chain_offset can't point into that area. If that was
-	 * the case, we could end up with an endless processing of the chain,
-	 * we would always handle the same request.
+	 * Check if the client tries to fool us. The chain offset
+	 * needs to point beyond the current request in the chain, it
+	 * needs to strictly grow. Otherwise we might be tricked into
+	 * an endless loop always processing the same request over and
+	 * over again. We used to assume that vwv and the byte buffer
+	 * array in a chain are always attached, but OS/2 the
+	 * Write&X/Read&X chain puts the Read&X vwv array right behind
+	 * the Write&X vwv chain. The Write&X bcc array is put behind
+	 * the Read&X vwv array. So now we check whether the chain
+	 * offset points strictly behind the previous vwv
+	 * array. req->buf points right after the vwv array of the
+	 * previous request. See
+	 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
+	 * information.
 	 */
 
-	already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
-	if (chain_offset < already_used) {
+	already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
+	if (chain_offset <= already_used) {
 		goto error;
 	}
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list