[SCM] Samba Shared Repository - branch master updated

Fri Nov 18 07:14:04 MST 2011

The branch, master has been updated
       via  20df0f3 s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()
       via  d3cb61c s3:libsmb: fix compiler warning in cli_pull_trans()
       via  48bcb8c s3:libsmb: only align unicode pipe_name (bug #8586)
      from  2642f38 s3: Fix bug 8371

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 20df0f34a8670f0dd5f3eaeb74af900f535bbe01
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 18 13:20:43 2011 +0100

    s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()
    
    metze
    
    Autobuild-User: Stefan Metzmacher <metze at samba.org>
    Autobuild-Date: Fri Nov 18 15:13:52 CET 2011 on sn-devel-104

commit d3cb61cf05485eda26280186bfa3850e2e6bcca9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 18 13:19:19 2011 +0100

    s3:libsmb: fix compiler warning in cli_pull_trans()
    
    metze

commit 48bcb8c846532ccd5489ef705182fb81c5278b04
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 18 08:40:18 2011 +0100

    s3:libsmb: only align unicode pipe_name (bug #8586)
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/clitrans.c |   26 ++++++++++++++++++--------
 1 files changed, 18 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 4bc9f4a..5c73e2d 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -85,6 +85,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 			       uint32_t *pdata_disp, uint8_t **pdata)
 {
 	uint32_t param_ofs, data_ofs;
+	uint8_t expected_num_setup;
 
 	if (expect_first_reply) {
 		if ((wct != 0) || (num_bytes != 0)) {
@@ -99,6 +100,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		if (wct < 10) {
 			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
+		expected_num_setup = wct - 10;
 		*ptotal_param	= SVAL(vwv + 0, 0);
 		*ptotal_data	= SVAL(vwv + 1, 0);
 		*pnum_param	= SVAL(vwv + 3, 0);
@@ -108,7 +110,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		data_ofs	= SVAL(vwv + 7, 0);
 		*pdata_disp	= SVAL(vwv + 8, 0);
 		*pnum_setup	= CVAL(vwv + 9, 0);
-		if (wct < 10 + (*pnum_setup)) {
+		if (expected_num_setup < (*pnum_setup)) {
 			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
 		*psetup = vwv + 10;
@@ -118,6 +120,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		if (wct < 18) {
 			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
+		expected_num_setup = wct - 18;
 		*ptotal_param	= IVAL(vwv, 3);
 		*ptotal_data	= IVAL(vwv, 7);
 		*pnum_param	= IVAL(vwv, 11);
@@ -127,6 +130,9 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		data_ofs	= IVAL(vwv, 27);
 		*pdata_disp	= IVAL(vwv, 31);
 		*pnum_setup	= CVAL(vwv, 35);
+		if (expected_num_setup < (*pnum_setup)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
 		*psetup		= vwv + 18;
 		break;
 
@@ -209,14 +215,18 @@ static void cli_trans_format(struct cli_trans_state *state, uint8_t *pwct,
 
 	switch (cmd) {
 	case SMBtrans:
-		pad[0] = 0;
-		iov[0].iov_base = (void *)pad;
-		iov[0].iov_len = 1;
-		iov[1].iov_base = (void *)state->pipe_name_conv;
-		iov[1].iov_len = state->pipe_name_conv_len;
+		if (cli_ucs2(state->cli)) {
+			pad[0] = 0;
+			iov[0].iov_base = (void *)pad;
+			iov[0].iov_len = 1;
+			param_offset += 1;
+			iov += 1;
+		}
+		iov[0].iov_base = (void *)state->pipe_name_conv;
+		iov[0].iov_len = state->pipe_name_conv_len;
 		wct = 14 + state->num_setup;
-		param_offset += iov[0].iov_len + iov[1].iov_len;
-		iov += 2;
+		param_offset += iov[0].iov_len;
+		iov += 1;
 		break;
 	case SMBtrans2:
 		pad[0] = 0;


-- 
Samba Shared Repository
