[SCM] Samba Shared Repository - branch master updated

David Disseldorp ddiss at samba.org
Sun Aug 4 08:55:02 MDT 2013 

The branch, master has been updated
       via  b35a27b Ensure we can never integer wrap when working on client-supplied max_data_bytes.
      from  852c9ac There are tests all over the SMB1 code to check that srv_send_smb fails, but it never returns false.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b35a27b77954992fc1e6db446bbfa6cfbb7547a1
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Aug 2 17:05:58 2013 -0700

    Ensure we can never integer wrap when working on client-supplied max_data_bytes.
    
    This would only be possible with SMB2, and is already checked in the upper
    SMB2 layers, but it really doesn't hurt to have these extra checks at time
    of use also.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>
    
    Autobuild-User(master): David Disseldorp <ddiss at samba.org>
    Autobuild-Date(master): Sun Aug  4 16:54:04 CEST 2013 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/trans2.c |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index a216f15..f769104 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2564,6 +2564,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 		}
 	}
 
+	if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		goto out;
+	}
+
 	*ppdata = (char *)SMB_REALLOC(
 		*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
 	if(*ppdata == NULL ) {
@@ -2893,6 +2898,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 		}
 	}
 
+	if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	*ppdata = (char *)SMB_REALLOC(
 		*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
 	if(*ppdata == NULL) {
@@ -3150,6 +3160,10 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn,
 
 	st = smb_fname.st;
 
+	if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	*ppdata = (char *)SMB_REALLOC(
 		*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
 	if (*ppdata == NULL) {
@@ -4368,6 +4382,10 @@ static void call_trans2qpipeinfo(connection_struct *conn,
 	}
 	params = *pparams;
 	SSVAL(params,0,0);
+	if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
 	data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
 	*ppdata = (char *)SMB_REALLOC(*ppdata, data_size); 
 	if (*ppdata == NULL ) {
@@ -4449,6 +4467,10 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
 		nlink -= 1;
 	}
 
+	if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
 	*ppdata = (char *)SMB_REALLOC(*ppdata, data_size); 
 	if (*ppdata == NULL) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list