[SCM] Samba Shared Repository - branch master updated

Wed Sep 21 14:13:01 MDT 2011

The branch, master has been updated
       via  d89bbe9 Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create
       via  e68ebe6 Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
      from  60d91f2 s3-libnet: allow to use default krb5 ccache in libnet_Join/libnet_Unjoin.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d89bbe9b0a989b8b5b1ecbd43c063a388e122aaf
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Sep 21 11:40:01 2011 -0700

    Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create
    
    Cope with zero length data_offset and data_length values.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Wed Sep 21 22:12:40 CEST 2011 on sn-devel-104

commit e68ebe600d9349e16e83aeb8e6ae8647c117d098
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Sep 21 11:30:06 2011 -0700

    Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
    
    Use lp_smb2_max_trans() instead of 0x10000.

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb2_create_blob.c |   10 +++++++---
 source3/smbd/smb2_find.c      |    2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 444dc84..b44f28a 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -63,9 +63,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		    name_offset > remaining ||
 		    name_length != 4 || /* windows enforces this */
 		    name_offset + name_length > remaining ||
-		    data_offset < name_offset + name_length ||
-		    data_offset > remaining ||
-		    data_offset + (uint64_t)data_length > remaining) {
+		    (data_offset && (data_offset < name_offset + name_length)) ||
+		    (data_offset && (data_offset > remaining)) ||
+		    (data_offset && data_length &&
+				(data_offset + (uint64_t)data_length > remaining))) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
@@ -88,6 +89,9 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		data += next;
 
 		if (remaining < 16) {
+			DEBUG(0,("smb2_create_blob_parse: remaining1 = %d, next = %d\n",
+				(int)remaining,
+				(int)next));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 6c68810..509b9d6 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -281,7 +281,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	if (in_output_buffer_length > 0x10000) {
+	if (in_output_buffer_length > lp_smb2_max_trans()) {
 		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		return tevent_req_post(req, ev);
 	}


-- 
Samba Shared Repository
