[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Thu Dec 6 03:19:05 MST 2012
The branch, v4-0-test has been updated
via 9339c45 Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
from ef7e06b BUG 9459: Install manpages only if we install the target.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 9339c45ea68cbfedecfb8f83f723017ce74fa7be
Author: Richard Sharpe <realrichardsharpe at gmail.com>
Date: Tue Dec 4 17:21:29 2012 -0800
Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
Ensure we check the buffer size correctly.
Reviewed by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 6 01:31:08 CET 2012 on sn-devel-104
(cherry picked from commit 943797c232f96a5dd411a803ad90b6980b2785b0)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Thu Dec 6 11:18:17 CET 2012 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/trans2.c | 23 ++++++++++++++++++++++-
1 files changed, 22 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d2cd15..9b15698 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -4158,7 +4158,7 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
unsigned int i;
unsigned int ofs = 0;
- for (i = 0; i < num_streams && ofs <= max_data_bytes; i++) {
+ for (i = 0; i < num_streams; i++) {
unsigned int next_offset;
size_t namelen;
smb_ucs2_t *namebuf;
@@ -4177,6 +4177,16 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
namelen -= 2;
+ /*
+ * We cannot overflow ...
+ */
+ if ((ofs + 24 + namelen) > max_data_bytes) {
+ DEBUG(10, ("refusing to overflow reply at stream %u\n",
+ i));
+ TALLOC_FREE(namebuf);
+ return STATUS_BUFFER_OVERFLOW;
+ }
+
SIVAL(data, ofs+4, namelen);
SOFF_T(data, ofs+8, streams[i].size);
SOFF_T(data, ofs+16, streams[i].alloc_size);
@@ -4191,6 +4201,14 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
else {
unsigned int align = ndr_align_size(next_offset, 8);
+ if ((next_offset + align) > max_data_bytes) {
+ DEBUG(10, ("refusing to overflow align "
+ "reply at stream %u\n",
+ i));
+ TALLOC_FREE(namebuf);
+ return STATUS_BUFFER_OVERFLOW;
+ }
+
memset(data+next_offset, 0, align);
next_offset += align;
@@ -4201,6 +4219,8 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
ofs = next_offset;
}
+ DEBUG(10, ("max_data: %u, data_size: %u\n", max_data_bytes, ofs));
+
*data_size = ofs;
return NT_STATUS_OK;
@@ -4800,6 +4820,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("marshall_stream_info failed: %s\n",
nt_errstr(status)));
+ TALLOC_FREE(streams);
return status;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list