[patch] bounds checking in send_file_readX
Jeremy Allison
jra at samba.org
Mon Jul 9 00:41:04 GMT 2007
On Mon, Jul 09, 2007 at 02:36:42AM +0400, Dmitry Shatrov wrote:
> In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
> to an invalid large value due to integer overflow.
> As for me, this resulted in MS Word hanging while trying to save
> a 1.5Mb document.
>
> Introduced by the following patch:
> http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/smbd/reply.c?rev=22920&r1=22846&r2=22920
>
> Index: source/smbd/reply.c
> ===================================================================
> --- source/smbd/reply.c (revision 23750)
> +++ source/smbd/reply.c (working copy)
> @@ -2590,6 +2590,7 @@
>
> if (startpos > sbuf.st_size) {
> smb_maxcnt = 0;
> + goto normal_read;
> }
>
> if (smb_maxcnt > (sbuf.st_size - startpos)) {
Looks correct but I like this patch better (just a bit
clearer to me what's going on). Let me know if it fixes
it the same for you.
Thanks !
Jeremy.
-------------- next part --------------
Index: smbd/reply.c
===================================================================
--- smbd/reply.c (revision 23751)
+++ smbd/reply.c (working copy)
@@ -2590,9 +2590,7 @@
if (startpos > sbuf.st_size) {
smb_maxcnt = 0;
- }
-
- if (smb_maxcnt > (sbuf.st_size - startpos)) {
+ } else if (smb_maxcnt > (sbuf.st_size - startpos)) {
smb_maxcnt = (sbuf.st_size - startpos);
}
More information about the samba-technical
mailing list