File corruption again
Juergen Hasch
Hasch at t-online.de
Sat May 26 17:05:30 GMT 2001
Finally I found a way to trigger my problem independent of the log
level.
I think I spotted the place, where the file corruption comes from.
It's in reply.c/reply_write_and_X()
I am copying a 8628 bytes file to the Samba share:
smb_doff= 63, smblen=8691, numtowrite=401844
This triggers the ERRbadmem error and the created file is empty.
Copying it a second time yields:
smb_doff= 63, smblen=8691, numtowrite=8628
No error and the created file is valid.
Looking at the diff the new numtowrite calculation seems to be broken:
diff -u -r1.240.2.30 -r1.240.2.31
--- samba/source/smbd/reply.c 2001/05/22 19:24:53 1.240.2.30
+++ samba/source/smbd/reply.c 2001/05/24 19:28:24 1.240.2.31
@@ -2660,10 +2660,11 @@
{
files_struct *fsp = file_fsp(inbuf,smb_vwv2);
SMB_OFF_T startpos = IVAL(inbuf,smb_vwv3);
- size_t numtowrite = SVAL(inbuf,smb_vwv10);
+ size_t numtowrite =
SVAL(inbuf,smb_vwv10)|(((size_t)SVAL(inbuf,smb_vwv9))<<16);
BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
ssize_t nwritten = -1;
unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
+ unsigned int smblen = smb_len(inbuf);
char *data;
START_PROFILE(SMBwriteX);
@@ -2677,7 +2678,7 @@
CHECK_WRITE(fsp);
CHECK_ERROR(fsp);
- if(smb_doff > smb_len(inbuf)) {
+ if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) {
END_PROFILE(SMBwriteX);
return(ERROR(ERRDOS,ERRbadmem));
}
...Juergen
More information about the samba-technical
mailing list