[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Dec 1 02:43:04 UTC 2015
The branch, master has been updated
via 3bbd8d3 libcli/smb: fix BUFFER_OVERFLOW handling in tstream_smbXcli_np
via 0e8d33f libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
via 68850f3 libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_query_info*
via b47bfce libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_read*
via 91e12e0 libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
via 58d4e77 smbd: Fix a comment
via 797be47 smbd: Simplify a boolean expression
via 49912f2 smbd: Fix a typo
via b3a9b88 librpc: Fix a possible array out of bounds access
via 87f8bdd lib: Fix an array subscript is above array bounds error
from c2de842 s3:talloc_dict: fix a SIGBUS when dereferencing unaligned pointers
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3bbd8d3614af641535ab0925303ad07c03c4e094
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 18:19:38 2015 +0100
libcli/smb: fix BUFFER_OVERFLOW handling in tstream_smbXcli_np
The special error is not NT_STATUS_BUFFER_TOO_SMALL, but STATUS_BUFFER_OVERFLOW.
Tested using TSTREAM_SMBXCLI_NP_MAX_BUF_SIZE == 20 and running
the following commands against a Windows 2012R2 server:
bin/smbtorture ncacn_np:SERVER[] rpc.lsa-getuser
bin/smbtorture ncacn_np:SERVER[smb2] rpc.lsa-getuser
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 1 03:42:52 CET 2015 on sn-devel-104
commit 0e8d33fb5ffd6fdb0e503c5ff59e3635bbf10041
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 19:10:01 2015 +0100
libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 68850f3f56e9b28b298c1bc3a6249f9c26602217
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 19:10:01 2015 +0100
libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_query_info*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b47bfce6781ea3be2b85cbef348107eda4f98860
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 19:10:01 2015 +0100
libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_read*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 91e12e04fc05a0b09b70ca2986aab9b96a8a035c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 17:31:04 2015 +0100
libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
Found by valgrind, reported by Noel Power <nopower at suse.com>:
==7913== Invalid read of size 1
==7913== at 0xC4F23EE: smb2cli_ioctl_done (smb2cli_ioctl.c:245)
==7913== by 0x747A744: _tevent_req_notify_callback (tevent_req.c:112)
==7913== by 0x747A817: tevent_req_finish (tevent_req.c:149)
==7913== by 0x747A93C: tevent_req_trigger (tevent_req.c:206)
==7913== by 0x7479B2B: tevent_common_loop_immediate
(tevent_immediate.c:135)
==7913== by 0xA9CB4BE: run_events_poll (events.c:192)
==7913== by 0xA9CBB32: s3_event_loop_once (events.c:303)
==7913== by 0x7478C72: _tevent_loop_once (tevent.c:533)
==7913== by 0x747AACD: tevent_req_poll (tevent_req.c:256)
==7913== by 0x505315D: tevent_req_poll_ntstatus (tevent_ntstatus.c:109)
==7913== by 0xA7201F2: cli_tree_connect (cliconnect.c:2764)
==7913== by 0x165FF7: cm_prepare_connection (winbindd_cm.c:1276)
==7913== Address 0x16ce24ec is 764 bytes inside a block of size 813 alloc'd
==7913== at 0x4C29110: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7913== by 0x768A0C1: __talloc_with_prefix (talloc.c:668)
==7913== by 0x768A27E: _talloc_pool (talloc.c:721)
==7913== by 0x768A41E: _talloc_pooled_object (talloc.c:790)
==7913== by 0x747A594: _tevent_req_create (tevent_req.c:66)
==7913== by 0xCF6E2FA: read_packet_send (async_sock.c:414)
==7913== by 0xCF6EB54: read_smb_send (read_smb.c:54)
==7913== by 0xC4DA146: smbXcli_conn_receive_next (smbXcli_base.c:1027)
==7913== by 0xC4DA02D: smbXcli_req_set_pending (smbXcli_base.c:978)
==7913== by 0xC4DF776: smb2cli_req_compound_submit (smbXcli_base.c:3166)
==7913== by 0xC4DFC1D: smb2cli_req_send (smbXcli_base.c:3268)
==7913== by 0xC4F2210: smb2cli_ioctl_send (smb2cli_ioctl.c:149)
==7913==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11622
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 58d4e77a85c125106973be54e8229b79fee8ffe6
Author: Volker Lendecke <vl at samba.org>
Date: Mon Nov 30 21:40:22 2015 +0100
smbd: Fix a comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 797be479dd6fc90030438b2364bee0e2d36d3d7c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Nov 30 16:22:07 2015 +0100
smbd: Simplify a boolean expression
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 49912f21475368f686d726f075042de1bdd0365a
Author: Volker Lendecke <vl at samba.org>
Date: Mon Nov 30 16:20:58 2015 +0100
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b3a9b88702c7440c43699255517310ea380a36db
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 25 12:35:59 2015 +0100
librpc: Fix a possible array out of bounds access
Reported by gcc 5.1.1.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 87f8bddffee554bc9e385e084741525abd2bab79
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 25 12:20:23 2015 +0100
lib: Fix an array subscript is above array bounds error
gcc 5.1.1 complains with:
lib/util/idtree.c:184:15: error: array subscript is above array bounds
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/util/idtree.c | 7 +++-
libcli/smb/smb1cli_read.c | 53 +++++++++++++++++---------
libcli/smb/smb2cli_ioctl.c | 84 +++++++++++++++++++++++------------------
libcli/smb/smb2cli_query_info.c | 24 +++++++++---
libcli/smb/smb2cli_read.c | 26 ++++++++++---
libcli/smb/tstream_smbXcli_np.c | 13 +++++--
librpc/rpc/binding.c | 2 +-
source3/smbd/reply.c | 6 +--
8 files changed, 142 insertions(+), 73 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/util/idtree.c b/lib/util/idtree.c
index 2104c74..e2cfcc5 100644
--- a/lib/util/idtree.c
+++ b/lib/util/idtree.c
@@ -181,8 +181,13 @@ restart:
*/
n = id;
while (p->bitmap == IDR_FULL) {
- if (!(p = pa[++l]))
+ if (l >= MAX_LEVEL) {
break;
+ }
+ p = pa[++l];
+ if (p == NULL) {
+ break;
+ }
n = n >> IDR_BITS;
set_bit((n & IDR_MASK), p->bitmap);
}
diff --git a/libcli/smb/smb1cli_read.c b/libcli/smb/smb1cli_read.c
index ab250ab..d7a7f43 100644
--- a/libcli/smb/smb1cli_read.c
+++ b/libcli/smb/smb1cli_read.c
@@ -26,9 +26,9 @@
struct smb1cli_readx_state {
uint32_t size;
uint16_t vwv[12];
- NTSTATUS status;
uint32_t received;
uint8_t *buf;
+ bool out_valid;
};
static void smb1cli_readx_done(struct tevent_req *subreq);
@@ -131,27 +131,36 @@ static void smb1cli_readx_done(struct tevent_req *subreq)
uint8_t *bytes;
uint16_t data_offset;
uint32_t bytes_offset;
+ NTSTATUS status;
static const struct smb1cli_req_expected_response expected[] = {
{
.status = NT_STATUS_OK,
.wct = 0x0C
},
+ {
+ .status = STATUS_BUFFER_OVERFLOW,
+ .wct = 0x0C
+ },
};
- state->status = smb1cli_req_recv(subreq, state,
- &recv_iov,
- NULL, /* phdr */
- &wct,
- &vwv,
- NULL, /* pvwv_offset */
- &num_bytes,
- &bytes,
- &bytes_offset,
- NULL, /* inbuf */
- expected, ARRAY_SIZE(expected));
+ status = smb1cli_req_recv(subreq, state,
+ &recv_iov,
+ NULL, /* phdr */
+ &wct,
+ &vwv,
+ NULL, /* pvwv_offset */
+ &num_bytes,
+ &bytes,
+ &bytes_offset,
+ NULL, /* inbuf */
+ expected, ARRAY_SIZE(expected));
TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, state->status)) {
- return;
+ if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
+ /* no error */
+ } else {
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
}
/* size is the number of bytes the server returned.
@@ -189,6 +198,12 @@ static void smb1cli_readx_done(struct tevent_req *subreq)
state->buf = bytes + (data_offset - bytes_offset);
+ state->out_valid = true;
+
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
tevent_req_done(req);
}
@@ -205,7 +220,7 @@ static void smb1cli_readx_done(struct tevent_req *subreq)
* @param[out] received The number of bytes received.
* @param[out] rcvbuf Pointer to the bytes received.
*
- * @return NT_STATUS_OK on succsess.
+ * @return NT_STATUS_OK or STATUS_BUFFER_OVERFLOW on succsess.
*/
NTSTATUS smb1cli_readx_recv(struct tevent_req *req,
uint32_t *received,
@@ -213,12 +228,14 @@ NTSTATUS smb1cli_readx_recv(struct tevent_req *req,
{
struct smb1cli_readx_state *state = tevent_req_data(
req, struct smb1cli_readx_state);
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_OK;
- if (tevent_req_is_nterror(req, &status)) {
+ if (tevent_req_is_nterror(req, &status) && !state->out_valid) {
+ *received = 0;
+ *rcvbuf = NULL;
return status;
}
*received = state->received;
*rcvbuf = state->buf;
- return NT_STATUS_OK;
+ return status;
}
diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c
index 42a424e..2b572ba 100644
--- a/libcli/smb/smb2cli_ioctl.c
+++ b/libcli/smb/smb2cli_ioctl.c
@@ -22,8 +22,6 @@
#include "lib/util/tevent_ntstatus.h"
#include "smb_common.h"
#include "smbXcli_base.h"
-#include "librpc/ndr/libndr.h"
-#include "librpc/gen_ndr/ioctl.h"
struct smb2cli_ioctl_state {
uint8_t fixed[0x38];
@@ -31,6 +29,7 @@ struct smb2cli_ioctl_state {
uint32_t max_input_length;
uint32_t max_output_length;
struct iovec *recv_iov;
+ bool out_valid;
DATA_BLOB out_input_buffer;
DATA_BLOB out_output_buffer;
uint32_t ctl_code;
@@ -161,32 +160,6 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx,
return req;
}
-/*
- * 3.3.4.4 Sending an Error Response
- * An error code other than one of the following indicates a failure:
- */
-static bool smb2cli_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status,
- size_t data_size)
-{
- if (NT_STATUS_IS_OK(status)) {
- return false;
- }
-
- /*
- * STATUS_INVALID_PARAMETER in a FSCTL_SRV_COPYCHUNK or
- * FSCTL_SRV_COPYCHUNK_WRITE Response, when returning an
- * SRV_COPYCHUNK_RESPONSE as described in section 2.2.32.1.
- */
- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) &&
- (ctl_code == FSCTL_SRV_COPYCHUNK ||
- ctl_code == FSCTL_SRV_COPYCHUNK_WRITE) &&
- data_size == sizeof(struct srv_copychunk_rsp)) {
- return false;
- }
-
- return true;
-}
-
static void smb2cli_ioctl_done(struct tevent_req *subreq)
{
struct tevent_req *req =
@@ -225,6 +198,16 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
.body_size = 0x09,
},
{
+ /*
+ * a normal error
+ */
+ .status = NT_STATUS_INVALID_PARAMETER,
+ .body_size = 0x09
+ },
+ {
+ /*
+ * a special case for FSCTL_SRV_COPYCHUNK_*
+ */
.status = NT_STATUS_INVALID_PARAMETER,
.body_size = 0x31
},
@@ -233,10 +216,35 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
status = smb2cli_req_recv(subreq, state, &iov,
expected, ARRAY_SIZE(expected));
TALLOC_FREE(subreq);
- if (iov == NULL && tevent_req_nterror(req, status)) {
- return;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ switch (state->ctl_code) {
+ case FSCTL_SRV_COPYCHUNK:
+ case FSCTL_SRV_COPYCHUNK_WRITE:
+ break;
+ default:
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ if (iov[1].iov_len != 0x30) {
+ tevent_req_nterror(req,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ } else if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
+ /* no error */
+ } else {
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
}
+ /*
+ * At this stage we're sure that got a body size of 0x31,
+ * either with NT_STATUS_OK, STATUS_BUFFER_OVERFLOW or
+ * NT_STATUS_INVALID_PARAMETER.
+ */
+
state->recv_iov = iov;
fixed = (uint8_t *)iov[1].iov_base;
dyn = (uint8_t *)iov[2].iov_base;
@@ -247,11 +255,6 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
output_buffer_offset = IVAL(fixed, 0x20);
output_buffer_length = IVAL(fixed, 0x24);
- if (smb2cli_ioctl_is_failure(state->ctl_code, status, output_buffer_length) &&
- tevent_req_nterror(req, status)) {
- return;
- }
-
if ((input_buffer_offset > 0) && (input_buffer_length > 0)) {
uint32_t ofs;
@@ -332,6 +335,8 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
state->out_output_buffer.length = output_buffer_length;
}
+ state->out_valid = true;
+
if (tevent_req_nterror(req, status)) {
return;
}
@@ -349,8 +354,13 @@ NTSTATUS smb2cli_ioctl_recv(struct tevent_req *req,
struct smb2cli_ioctl_state);
NTSTATUS status = NT_STATUS_OK;
- if (tevent_req_is_nterror(req, &status) &&
- smb2cli_ioctl_is_failure(state->ctl_code, status, state->out_output_buffer.length)) {
+ if (tevent_req_is_nterror(req, &status) && !state->out_valid) {
+ if (out_input_buffer) {
+ *out_input_buffer = data_blob_null;
+ }
+ if (out_output_buffer) {
+ *out_output_buffer = data_blob_null;
+ }
tevent_req_received(req);
return status;
}
diff --git a/libcli/smb/smb2cli_query_info.c b/libcli/smb/smb2cli_query_info.c
index a24844b..d499611 100644
--- a/libcli/smb/smb2cli_query_info.c
+++ b/libcli/smb/smb2cli_query_info.c
@@ -29,6 +29,7 @@ struct smb2cli_query_info_state {
uint32_t max_output_length;
struct iovec *recv_iov;
DATA_BLOB out_output_buffer;
+ bool out_valid;
};
static void smb2cli_query_info_done(struct tevent_req *subreq);
@@ -135,8 +136,12 @@ static void smb2cli_query_info_done(struct tevent_req *subreq)
status = smb2cli_req_recv(subreq, state, &iov,
expected, ARRAY_SIZE(expected));
TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
- return;
+ if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
+ /* no error */
+ } else {
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
}
state->recv_iov = iov;
@@ -170,6 +175,12 @@ static void smb2cli_query_info_done(struct tevent_req *subreq)
state->out_output_buffer.length = output_buffer_length;
}
+ state->out_valid = true;
+
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
tevent_req_done(req);
}
@@ -180,9 +191,12 @@ NTSTATUS smb2cli_query_info_recv(struct tevent_req *req,
struct smb2cli_query_info_state *state =
tevent_req_data(req,
struct smb2cli_query_info_state);
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_OK;
- if (tevent_req_is_nterror(req, &status)) {
+ if (tevent_req_is_nterror(req, &status) && !state->out_valid) {
+ if (out_output_buffer) {
+ *out_output_buffer = data_blob_null;
+ }
tevent_req_received(req);
return status;
}
@@ -193,7 +207,7 @@ NTSTATUS smb2cli_query_info_recv(struct tevent_req *req,
}
tevent_req_received(req);
- return NT_STATUS_OK;
+ return status;
}
NTSTATUS smb2cli_query_info(struct smbXcli_conn *conn,
diff --git a/libcli/smb/smb2cli_read.c b/libcli/smb/smb2cli_read.c
index 4a31622..8110b65 100644
--- a/libcli/smb/smb2cli_read.c
+++ b/libcli/smb/smb2cli_read.c
@@ -29,6 +29,7 @@ struct smb2cli_read_state {
struct iovec *recv_iov;
uint8_t *data;
uint32_t data_length;
+ bool out_valid;
};
static void smb2cli_read_done(struct tevent_req *subreq);
@@ -105,8 +106,12 @@ static void smb2cli_read_done(struct tevent_req *subreq)
status = smb2cli_req_recv(subreq, state, &iov,
expected, ARRAY_SIZE(expected));
TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
- return;
+ if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
+ /* no error */
+ } else {
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
}
data_offset = CVAL(iov[1].iov_base, 2);
@@ -120,6 +125,13 @@ static void smb2cli_read_done(struct tevent_req *subreq)
state->recv_iov = iov;
state->data = (uint8_t *)iov[2].iov_base;
+
+ state->out_valid = true;
+
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
tevent_req_done(req);
}
@@ -129,15 +141,19 @@ NTSTATUS smb2cli_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct smb2cli_read_state *state =
tevent_req_data(req,
struct smb2cli_read_state);
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_OK;
- if (tevent_req_is_nterror(req, &status)) {
+ if (tevent_req_is_nterror(req, &status) && !state->out_valid) {
+ *data_length = 0;
+ *data = NULL;
+ tevent_req_received(req);
return status;
}
talloc_steal(mem_ctx, state->recv_iov);
*data_length = state->data_length;
*data = state->data;
- return NT_STATUS_OK;
+ tevent_req_received(req);
+ return status;
}
NTSTATUS smb2cli_read(struct smbXcli_conn *conn,
diff --git a/libcli/smb/tstream_smbXcli_np.c b/libcli/smb/tstream_smbXcli_np.c
index 9cd6302..af0863e 100644
--- a/libcli/smb/tstream_smbXcli_np.c
+++ b/libcli/smb/tstream_smbXcli_np.c
@@ -976,7 +976,14 @@ static void tstream_smbXcli_np_readv_trans_done(struct tevent_req *subreq)
received = out_output_buffer.length;
}
TALLOC_FREE(subreq);
- if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
+ if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
+ /*
+ * STATUS_BUFFER_OVERFLOW means that there's
+ * more data to read when the named pipe is used
+ * in message mode (which is the case here).
+ *
+ * But we hide this from the caller.
+ */
status = NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(status)) {
@@ -1052,9 +1059,9 @@ static void tstream_smbXcli_np_readv_read_done(struct tevent_req *subreq)
* We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
* child of that.
*/
- if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
+ if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
/*
- * NT_STATUS_BUFFER_TOO_SMALL means that there's
+ * STATUS_BUFFER_OVERFLOW means that there's
* more data to read when the named pipe is used
* in message mode (which is the case here).
*
diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
index f131d00..d0acd6e 100644
--- a/librpc/rpc/binding.c
+++ b/librpc/rpc/binding.c
@@ -1226,7 +1226,7 @@ _PUBLIC_ enum dcerpc_transport_t dcerpc_transport_by_tower(const struct epm_towe
continue;
}
- for (j = 0; j < transports[i].num_protocols; j++) {
+ for (j = 0; j < transports[i].num_protocols && j < MAX_PROTSEQ; j++) {
if (transports[i].protseq[j] != tower->floors[j+2].lhs.protocol) {
break;
}
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index efef613..572ca92 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2661,7 +2661,7 @@ static NTSTATUS can_rename(connection_struct *conn, files_struct *fsp,
if ((dirtype & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) !=
(FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
/* Only bother to read the DOS attribute if we might deny the
- rename on the grounds of attribute missmatch. */
+ rename on the grounds of attribute mismatch. */
uint32_t fmode = dos_mode(conn, fsp->fsp_name);
if ((fmode & ~dirtype) & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
return NT_STATUS_NO_SUCH_FILE;
@@ -6458,12 +6458,12 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
/*
* Check for special case with case preserving and not
- * case sensitive. If the old last component differs from the original
+ * case sensitive. If the new last component differs from the original
* last component only by case, then we should allow
* the rename (user is trying to change the case of the
* filename).
*/
- if((conn->case_sensitive == False) && (conn->case_preserve == True) &&
+ if (!conn->case_sensitive && conn->case_preserve &&
strequal(fsp->fsp_name->base_name, smb_fname_dst->base_name) &&
strequal(fsp->fsp_name->stream_name, smb_fname_dst->stream_name)) {
char *last_slash;
--
Samba Shared Repository
More information about the samba-cvs
mailing list