[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Feb 24 12:22:04 MST 2015
The branch, master has been updated
via a00d72b wafsamba: make sure build fails when uninitialized variable is detected
via b3a472d lib: Use iov_buflen in smb1cli_req_chain_submit
via eaf9fd4 lib: Use iov_buflen in smb1cli_req_writev_submit
via c7fe434 lib: Use iov_buflen in smb1cli_req_create
via 7bcd7e2 lib: Use iov_buf in smbXcli_iov_concat
via 4c00054 libcli: Use iov_buflen in smbXcli_iov_len
via cab45cb smbd: Fix a typo
via ce9ae13 smb2_server: Use iov_advance
via 1c2562e smb2_server: Add range checking to nbt_length
via d6f70d3 tsocket: Use iov_advance
via 6e94f69 iov_buf: Add an explaining comment
via 0a20ffb tsocket: Fix a typo
via a610336 lib: Move "iov_buf.[ch]" to lib/util
via d5de29b rpc: Use tevent_req_poll_ntstatus
from 04a061e ctdb-io: Do not use sys_write to write to client sockets
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a00d72bf5db4215fd70e6d396ad3d22e612d5ebc
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue Feb 24 15:12:39 2015 +0200
wafsamba: make sure build fails when uninitialized variable is detected
In developer build, fail if uninitialized variable is found by GCC.
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Feb 24 20:21:52 CET 2015 on sn-devel-104
commit b3a472d976f61c9a3839d94d549fa94199404de1
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 17 20:19:33 2015 +0000
lib: Use iov_buflen in smb1cli_req_chain_submit
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit eaf9fd4b7ac57ec3ab02991299b69420dbae8ad0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 17 20:19:10 2015 +0000
lib: Use iov_buflen in smb1cli_req_writev_submit
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c7fe434d48fb52a7db18405004da03e479aec8d4
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 17 20:18:37 2015 +0000
lib: Use iov_buflen in smb1cli_req_create
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7bcd7e2f5ca4dd88871588239ee7d2285d6e0d83
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 17 20:17:35 2015 +0000
lib: Use iov_buf in smbXcli_iov_concat
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4c000545c00943993b5d814f14e8112abd19975f
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 17 20:16:45 2015 +0000
libcli: Use iov_buflen in smbXcli_iov_len
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cab45cb7654e978ac7ad50a12de35cf2728cb10c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 14:36:28 2015 +0000
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ce9ae131fe66c82448e2f82dbc0b103aecc851b6
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 14:35:03 2015 +0000
smb2_server: Use iov_advance
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1c2562e691937b6e877189477f18a735210ec5f5
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 14:29:36 2015 +0000
smb2_server: Add range checking to nbt_length
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d6f70d334602d374442fa0670c09d80e70641c13
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 13:50:25 2015 +0000
tsocket: Use iov_advance
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6e94f695c4cb8aabc57b5ef00073c2301fec409a
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 13:26:29 2015 +0000
iov_buf: Add an explaining comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0a20ffb17dcc849834ccde4aa3f751bda31f8824
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 16 13:24:04 2015 +0000
tsocket: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a610336886259b960317f172d3084de6ecc5a396
Author: Volker Lendecke <vl at samba.org>
Date: Sat Feb 14 16:48:54 2015 +0100
lib: Move "iov_buf.[ch]" to lib/util
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d5de29b8601a8e0d6afed779aae2da370358e4ca
Author: Volker Lendecke <vl at samba.org>
Date: Sat Feb 14 16:28:06 2015 +0100
rpc: Use tevent_req_poll_ntstatus
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_autoconf.py | 2 +
lib/async_req/async_sock.c | 2 +-
lib/tsocket/tsocket_bsd.c | 69 +++++++-------------------
lib/tsocket/wscript_build | 2 +-
{source3/lib => lib/util}/iov_buf.c | 4 ++
{source3/lib => lib/util}/iov_buf.h | 0
lib/util/wscript_build | 5 ++
libcli/smb/smbXcli_base.c | 57 ++++++++++++++--------
libcli/smb/wscript | 2 +-
librpc/rpc/binding_handle.c | 3 +-
source3/lib/messages.c | 2 +-
source3/lib/messages_ctdbd.c | 2 +-
source3/lib/msghdr.c | 2 +-
source3/lib/sys_rw_data.c | 2 +-
source3/lib/unix_msg/unix_msg.c | 2 +-
source3/smbd/smb2_server.c | 91 ++++++++++++++++++++---------------
source3/smbd/trans2.c | 2 +-
source3/wscript_build | 5 --
18 files changed, 129 insertions(+), 125 deletions(-)
rename {source3/lib => lib/util}/iov_buf.c (89%)
rename {source3/lib => lib/util}/iov_buf.h (100%)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index c13bfe7..905adc7 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -677,6 +677,8 @@ def SAMBA_CONFIG_H(conf, path=None):
testflags=True)
conf.ADD_CFLAGS('-Werror=return-type -Wreturn-type',
testflags=True)
+ conf.ADD_CFLAGS('-Werror=uninitialized -Wuninitialized',
+ testflags=True)
conf.ADD_CFLAGS('-Wformat=2 -Wno-format-y2k', testflags=True)
# This check is because for ldb_search(), a NULL format string
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index b986e45..ee91b8f 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -27,7 +27,7 @@
#include <talloc.h>
#include <tevent.h>
#include "lib/async_req/async_sock.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
/* Note: lib/util/ is currently GPL */
#include "lib/util/tevent_unix.h"
diff --git a/lib/tsocket/tsocket_bsd.c b/lib/tsocket/tsocket_bsd.c
index fe39dfd..79235c6 100644
--- a/lib/tsocket/tsocket_bsd.c
+++ b/lib/tsocket/tsocket_bsd.c
@@ -26,6 +26,7 @@
#include "system/network.h"
#include "tsocket.h"
#include "tsocket_internal.h"
+#include "lib/util/iov_buf.h"
static int tsocket_bsd_error_from_errno(int ret,
int sys_errno,
@@ -1117,7 +1118,7 @@ static void tdgram_bsd_sendto_handler(void *private_data)
sizeof(bufsize));
if (ret == 0) {
/*
- * We do the rety here, rather then via the
+ * We do the retry here, rather then via the
* handler, as we only want to retry once for
* this condition, so if there is a mismatch
* between what setsockopt() accepts and what can
@@ -1747,7 +1748,8 @@ static void tstream_bsd_readv_handler(void *private_data)
struct tstream_bsd *bsds = tstream_context_data(stream, struct tstream_bsd);
int ret;
int err;
- bool retry;
+ int _count;
+ bool ok, retry;
ret = readv(bsds->fd, state->vector, state->count);
if (ret == 0) {
@@ -1766,31 +1768,13 @@ static void tstream_bsd_readv_handler(void *private_data)
state->ret += ret;
- while (ret > 0) {
- if (ret < state->vector[0].iov_len) {
- uint8_t *base;
- base = (uint8_t *)state->vector[0].iov_base;
- base += ret;
- state->vector[0].iov_base = (void *)base;
- state->vector[0].iov_len -= ret;
- break;
- }
- ret -= state->vector[0].iov_len;
- state->vector += 1;
- state->count -= 1;
- }
+ _count = state->count; /* tstream has size_t count, readv has int */
+ ok = iov_advance(&state->vector, &_count, ret);
+ state->count = _count;
- /*
- * there're maybe some empty vectors at the end
- * which we need to skip, otherwise we would get
- * ret == 0 from the readv() call and return EPIPE
- */
- while (state->count > 0) {
- if (state->vector[0].iov_len > 0) {
- break;
- }
- state->vector += 1;
- state->count -= 1;
+ if (!ok) {
+ tevent_req_error(req, EINVAL);
+ return;
}
if (state->count > 0) {
@@ -1907,7 +1891,8 @@ static void tstream_bsd_writev_handler(void *private_data)
struct tstream_bsd *bsds = tstream_context_data(stream, struct tstream_bsd);
ssize_t ret;
int err;
- bool retry;
+ int _count;
+ bool ok, retry;
ret = writev(bsds->fd, state->vector, state->count);
if (ret == 0) {
@@ -1926,31 +1911,13 @@ static void tstream_bsd_writev_handler(void *private_data)
state->ret += ret;
- while (ret > 0) {
- if (ret < state->vector[0].iov_len) {
- uint8_t *base;
- base = (uint8_t *)state->vector[0].iov_base;
- base += ret;
- state->vector[0].iov_base = (void *)base;
- state->vector[0].iov_len -= ret;
- break;
- }
- ret -= state->vector[0].iov_len;
- state->vector += 1;
- state->count -= 1;
- }
+ _count = state->count; /* tstream has size_t count, writev has int */
+ ok = iov_advance(&state->vector, &_count, ret);
+ state->count = _count;
- /*
- * there're maybe some empty vectors at the end
- * which we need to skip, otherwise we would get
- * ret == 0 from the writev() call and return EPIPE
- */
- while (state->count > 0) {
- if (state->vector[0].iov_len > 0) {
- break;
- }
- state->vector += 1;
- state->count -= 1;
+ if (!ok) {
+ tevent_req_error(req, EINVAL);
+ return;
}
if (state->count > 0) {
diff --git a/lib/tsocket/wscript_build b/lib/tsocket/wscript_build
index 5fa05f8..31ef14e 100644
--- a/lib/tsocket/wscript_build
+++ b/lib/tsocket/wscript_build
@@ -3,7 +3,7 @@
bld.SAMBA_SUBSYSTEM('LIBTSOCKET',
source='tsocket.c tsocket_helpers.c tsocket_bsd.c',
- public_deps='talloc tevent',
+ public_deps='talloc tevent iov_buf',
public_headers='tsocket.h tsocket_internal.h',
)
diff --git a/source3/lib/iov_buf.c b/lib/util/iov_buf.c
similarity index 89%
rename from source3/lib/iov_buf.c
rename to lib/util/iov_buf.c
index 82a4af5..d260b2f 100644
--- a/source3/lib/iov_buf.c
+++ b/lib/util/iov_buf.c
@@ -75,6 +75,10 @@ bool iov_advance(struct iovec **iov, int *iovcnt, size_t n)
/*
* Skip 0-length iovec's
+ *
+ * There might be empty buffers at the end of iov. Next time we do a
+ * readv/writev based on this iov would give 0 transferred bytes, also
+ * known as EPIPE. So we need to be careful discarding them.
*/
while ((cnt > 0) && (v->iov_len == 0)) {
diff --git a/source3/lib/iov_buf.h b/lib/util/iov_buf.h
similarity index 100%
rename from source3/lib/iov_buf.h
rename to lib/util/iov_buf.h
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index 3121e1f..2588742 100755
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -36,6 +36,11 @@ bld.SAMBA_LIBRARY('socket-blocking',
local_include=False,
private_library=True)
+bld.SAMBA_LIBRARY('iov_buf',
+ source='iov_buf.c',
+ local_include=False,
+ private_library=True)
+
bld.SAMBA_SUBSYSTEM('samba-util-core',
source='''xfile.c data_blob.c util_file.c time.c
signal.c util.c idtree.c fault.c
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 8aa6020..2b34980 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -25,6 +25,7 @@
#include "../lib/util/tevent_unix.h"
#include "lib/util/util_net.h"
#include "lib/util/dlinklist.h"
+#include "lib/util/iov_buf.h"
#include "../libcli/smb/smb_common.h"
#include "../libcli/smb/smb_seal.h"
#include "../libcli/smb/smb_signing.h"
@@ -1115,32 +1116,31 @@ void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
static size_t smbXcli_iov_len(const struct iovec *iov, int count)
{
- size_t result = 0;
- int i;
- for (i=0; i<count; i++) {
- result += iov[i].iov_len;
- }
- return result;
+ ssize_t ret = iov_buflen(iov, count);
+
+ /* Ignore the overflow case for now ... */
+ return ret;
}
static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
const struct iovec *iov,
int count)
{
- size_t len = smbXcli_iov_len(iov, count);
- size_t copied;
+ ssize_t buflen;
uint8_t *buf;
- int i;
- buf = talloc_array(mem_ctx, uint8_t, len);
- if (buf == NULL) {
+ buflen = iov_buflen(iov, count);
+ if (buflen == -1) {
return NULL;
}
- copied = 0;
- for (i=0; i<count; i++) {
- memcpy(buf+copied, iov[i].iov_base, iov[i].iov_len);
- copied += iov[i].iov_len;
+
+ buf = talloc_array(mem_ctx, uint8_t, buflen);
+ if (buf == NULL) {
+ return NULL;
}
+
+ iov_buf(iov, count, buf, buflen);
+
return buf;
}
@@ -1266,6 +1266,7 @@ struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
uint16_t flags2 = 0;
uint16_t uid = 0;
uint16_t tid = 0;
+ ssize_t num_bytes;
if (iov_count > MAX_SMB_IOV) {
/*
@@ -1337,7 +1338,17 @@ struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
state->smb1.vwv = vwv;
- SSVAL(state->smb1.bytecount_buf, 0, smbXcli_iov_len(bytes_iov, iov_count));
+ num_bytes = iov_buflen(bytes_iov, iov_count);
+ if (num_bytes == -1) {
+ /*
+ * I'd love to add a check for num_bytes<=UINT16_MAX here, but
+ * the smbclient->samba connections can lie and transfer more.
+ */
+ TALLOC_FREE(req);
+ return NULL;
+ }
+
+ SSVAL(state->smb1.bytecount_buf, 0, num_bytes);
state->smb1.iov[0].iov_base = (void *)state->length_hdr;
state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
@@ -1444,6 +1455,7 @@ static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
NTSTATUS status;
uint8_t cmd;
uint16_t mid;
+ ssize_t nbtlen;
if (!smbXcli_conn_is_connected(state->conn)) {
return NT_STATUS_CONNECTION_DISCONNECTED;
@@ -1484,7 +1496,12 @@ static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
}
SSVAL(iov[1].iov_base, HDR_MID, mid);
- _smb_setlen_nbt(iov[0].iov_base, smbXcli_iov_len(&iov[1], iov_count-1));
+ nbtlen = iov_buflen(&iov[1], iov_count-1);
+ if ((nbtlen == -1) || (nbtlen > 0x1FFFF)) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ _smb_setlen_nbt(iov[0].iov_base, nbtlen);
status = smb1cli_conn_signv(state->conn, iov, iov_count,
&state->smb1.seqnum,
@@ -2350,7 +2367,7 @@ NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
struct iovec *iov = NULL;
struct iovec *this_iov;
NTSTATUS status;
- size_t nbt_len;
+ ssize_t nbt_len;
if (num_reqs == 1) {
return smb1cli_req_writev_submit(reqs[0], first_state,
@@ -2472,8 +2489,8 @@ NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
chain_padding = next_padding;
}
- nbt_len = smbXcli_iov_len(&iov[1], iovlen-1);
- if (nbt_len > first_state->conn->smb1.max_xmit) {
+ nbt_len = iov_buflen(&iov[1], iovlen-1);
+ if ((nbt_len == -1) || (nbt_len > first_state->conn->smb1.max_xmit)) {
TALLOC_FREE(iov);
TALLOC_FREE(first_state->smb1.chained_requests);
return NT_STATUS_INVALID_PARAMETER_MIX;
diff --git a/libcli/smb/wscript b/libcli/smb/wscript
index 48fa2b4..dad9821 100755
--- a/libcli/smb/wscript
+++ b/libcli/smb/wscript
@@ -46,7 +46,7 @@ def build(bld):
LIBCRYPTO NDR_SMB2_LEASE_STRUCT errors gensec krb5samba
smb_transport
''',
- public_deps='talloc samba-util',
+ public_deps='talloc samba-util iov_buf',
private_library=True,
public_headers='''
smb_common.h smb2_constants.h smb_constants.h
diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
index ef2b7bd..5a94144 100644
--- a/librpc/rpc/binding_handle.c
+++ b/librpc/rpc/binding_handle.c
@@ -250,8 +250,7 @@ NTSTATUS dcerpc_binding_handle_raw_call(struct dcerpc_binding_handle *h,
return NT_STATUS_NO_MEMORY;
}
- if (!tevent_req_poll(subreq, ev)) {
- status = map_nt_error_from_unix_common(errno);
+ if (!tevent_req_poll_ntstatus(subreq, ev, &status)) {
talloc_free(frame);
return status;
}
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 7df7cdb..aa67640 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -52,7 +52,7 @@
#include "lib/util/tevent_unix.h"
#include "lib/background.h"
#include "lib/messages_dgm.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
#include "lib/util/server_id_db.h"
#include "lib/messages_dgm_ref.h"
#include "lib/messages_util.h"
diff --git a/source3/lib/messages_ctdbd.c b/source3/lib/messages_ctdbd.c
index dbca103..1268bd4 100644
--- a/source3/lib/messages_ctdbd.c
+++ b/source3/lib/messages_ctdbd.c
@@ -20,7 +20,7 @@
#include "includes.h"
#include "messages.h"
#include "util_tdb.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
/*
* It is not possible to include ctdb.h and tdb_compat.h (included via
diff --git a/source3/lib/msghdr.c b/source3/lib/msghdr.c
index 82f7ca7..5d771e8 100644
--- a/source3/lib/msghdr.c
+++ b/source3/lib/msghdr.c
@@ -18,7 +18,7 @@
#include "replace.h"
#include "lib/msghdr.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
#include <sys/socket.h>
ssize_t msghdr_prep_fds(struct msghdr *msg, uint8_t *buf, size_t bufsize,
diff --git a/source3/lib/sys_rw_data.c b/source3/lib/sys_rw_data.c
index 7198783..e3f934d 100644
--- a/source3/lib/sys_rw_data.c
+++ b/source3/lib/sys_rw_data.c
@@ -24,7 +24,7 @@
#include "system/filesys.h"
#include "lib/sys_rw_data.h"
#include "lib/sys_rw.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
/****************************************************************************
Write all data from an iov array
diff --git a/source3/lib/unix_msg/unix_msg.c b/source3/lib/unix_msg/unix_msg.c
index 6714f0d..f242249 100644
--- a/source3/lib/unix_msg/unix_msg.c
+++ b/source3/lib/unix_msg/unix_msg.c
@@ -23,7 +23,7 @@
#include "system/network.h"
#include "dlinklist.h"
#include "pthreadpool/pthreadpool.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
#include "lib/msghdr.h"
#include <fcntl.h>
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 25d11b1..432b866 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -28,7 +28,7 @@
#include "smbprofile.h"
#include "../lib/util/bitmap.h"
#include "../librpc/gen_ndr/krb5pac.h"
-#include "lib/iov_buf.h"
+#include "lib/util/iov_buf.h"
#include "auth.h"
static void smbd_smb2_connection_handler(struct tevent_context *ev,
@@ -237,16 +237,22 @@ static NTSTATUS smbd_initialize_smb2(struct smbXsrv_connection *xconn)
buf[3] = (len)&0xFF; \
} while (0)
-static void smb2_setup_nbt_length(struct iovec *vector, int count)
+static bool smb2_setup_nbt_length(struct iovec *vector, int count)
{
- size_t len = 0;
- int i;
+ ssize_t len;
- for (i=1; i < count; i++) {
- len += vector[i].iov_len;
+ if (count == 0) {
+ return false;
+ }
+
+ len = iov_buflen(vector+1, count-1);
+
+ if ((len == -1) || (len > 0xFFFFFF)) {
+ return false;
}
_smb2_setlen(vector[0].iov_base, len);
+ return true;
}
static int smbd_smb2_request_destructor(struct smbd_smb2_request *req)
@@ -944,6 +950,7 @@ static NTSTATUS smbd_smb2_request_setup_out(struct smbd_smb2_request *req)
struct iovec *vector;
int count;
int idx;
+ bool ok;
count = req->in.vector_count;
if (count <= ARRAY_SIZE(req->out._vector)) {
@@ -1035,7 +1042,10 @@ static NTSTATUS smbd_smb2_request_setup_out(struct smbd_smb2_request *req)
req->out.vector_count = count;
/* setup the length of the NBT packet */
- smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
+ ok = smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
DLIST_ADD_END(xconn->smb2.requests, req, struct smbd_smb2_request *);
@@ -1156,6 +1166,7 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re
struct iovec *outvec = NULL;
int count = req->out.vector_count;
int i;
+ bool ok;
newreq = smbd_smb2_request_allocate(req->xconn);
if (!newreq) {
@@ -1195,8 +1206,12 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re
return NULL;
}
- smb2_setup_nbt_length(newreq->out.vector,
- newreq->out.vector_count);
+ ok = smb2_setup_nbt_length(newreq->out.vector,
+ newreq->out.vector_count);
+ if (!ok) {
+ TALLOC_FREE(newreq);
+ return NULL;
+ }
return newreq;
}
@@ -1210,6 +1225,7 @@ static NTSTATUS smb2_send_async_interim_response(const struct smbd_smb2_request
uint8_t *outhdr = NULL;
--
Samba Shared Repository
More information about the samba-cvs
mailing list