[SCM] Samba Shared Repository - branch v4-0-test updated

Karolin Seeger kseeger at samba.org
Thu Dec 6 03:19:05 MST 2012


The branch, v4-0-test has been updated
       via  9339c45 Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
      from  ef7e06b BUG 9459: Install manpages only if we install the target.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 9339c45ea68cbfedecfb8f83f723017ce74fa7be
Author: Richard Sharpe <realrichardsharpe at gmail.com>
Date:   Tue Dec 4 17:21:29 2012 -0800

    Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
    
    Ensure we check the buffer size correctly.
    
    Reviewed by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Dec  6 01:31:08 CET 2012 on sn-devel-104
    (cherry picked from commit 943797c232f96a5dd411a803ad90b6980b2785b0)
    
    Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-0-test): Thu Dec  6 11:18:17 CET 2012 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/trans2.c |   23 ++++++++++++++++++++++-
 1 files changed, 22 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d2cd15..9b15698 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -4158,7 +4158,7 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
 	unsigned int i;
 	unsigned int ofs = 0;
 
-	for (i = 0; i < num_streams && ofs <= max_data_bytes; i++) {
+	for (i = 0; i < num_streams; i++) {
 		unsigned int next_offset;
 		size_t namelen;
 		smb_ucs2_t *namebuf;
@@ -4177,6 +4177,16 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
 
 		namelen -= 2;
 
+		/*
+		 * We cannot overflow ...
+		 */
+		if ((ofs + 24 + namelen) > max_data_bytes) {
+			DEBUG(10, ("refusing to overflow reply at stream %u\n",
+				i));
+			TALLOC_FREE(namebuf);
+			return STATUS_BUFFER_OVERFLOW;
+		}
+
 		SIVAL(data, ofs+4, namelen);
 		SOFF_T(data, ofs+8, streams[i].size);
 		SOFF_T(data, ofs+16, streams[i].alloc_size);
@@ -4191,6 +4201,14 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
 		else {
 			unsigned int align = ndr_align_size(next_offset, 8);
 
+			if ((next_offset + align) > max_data_bytes) {
+				DEBUG(10, ("refusing to overflow align "
+					"reply at stream %u\n",
+					i));
+				TALLOC_FREE(namebuf);
+				return STATUS_BUFFER_OVERFLOW;
+			}
+
 			memset(data+next_offset, 0, align);
 			next_offset += align;
 
@@ -4201,6 +4219,8 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams,
 		ofs = next_offset;
 	}
 
+	DEBUG(10, ("max_data: %u, data_size: %u\n", max_data_bytes, ofs));
+
 	*data_size = ofs;
 
 	return NT_STATUS_OK;
@@ -4800,6 +4820,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
 			if (!NT_STATUS_IS_OK(status)) {
 				DEBUG(10, ("marshall_stream_info failed: %s\n",
 					   nt_errstr(status)));
+				TALLOC_FREE(streams);
 				return status;
 			}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list