[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Sep 21 14:13:01 MDT 2011
The branch, master has been updated
via d89bbe9 Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create
via e68ebe6 Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
from 60d91f2 s3-libnet: allow to use default krb5 ccache in libnet_Join/libnet_Unjoin.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d89bbe9b0a989b8b5b1ecbd43c063a388e122aaf
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 21 11:40:01 2011 -0700
Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create
Cope with zero length data_offset and data_length values.
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Wed Sep 21 22:12:40 CEST 2011 on sn-devel-104
commit e68ebe600d9349e16e83aeb8e6ae8647c117d098
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 21 11:30:06 2011 -0700
Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
Use lp_smb2_max_trans() instead of 0x10000.
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb2_create_blob.c | 10 +++++++---
source3/smbd/smb2_find.c | 2 +-
2 files changed, 8 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 444dc84..b44f28a 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -63,9 +63,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
name_offset > remaining ||
name_length != 4 || /* windows enforces this */
name_offset + name_length > remaining ||
- data_offset < name_offset + name_length ||
- data_offset > remaining ||
- data_offset + (uint64_t)data_length > remaining) {
+ (data_offset && (data_offset < name_offset + name_length)) ||
+ (data_offset && (data_offset > remaining)) ||
+ (data_offset && data_length &&
+ (data_offset + (uint64_t)data_length > remaining))) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -88,6 +89,9 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
data += next;
if (remaining < 16) {
+ DEBUG(0,("smb2_create_blob_parse: remaining1 = %d, next = %d\n",
+ (int)remaining,
+ (int)next));
return NT_STATUS_INVALID_PARAMETER;
}
}
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 6c68810..509b9d6 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -281,7 +281,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (in_output_buffer_length > 0x10000) {
+ if (in_output_buffer_length > lp_smb2_max_trans()) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list