[patch] bounds checking in send_file_readX

Dmitry Shatrov dhsatrov at linux.vnet.ibm.com
Sun Jul 8 22:36:42 GMT 2007


In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
to an invalid large value due to integer overflow.
As for me, this resulted in MS Word hanging while trying to save
a 1.5Mb document.

Introduced by the following patch: 
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/smbd/reply.c?rev=22920&r1=22846&r2=22920

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba3-ReadAndX-fix.diff
Type: text/x-patch
Size: 326 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070709/d462bf0d/samba3-ReadAndX-fix.bin


More information about the samba-technical mailing list