[patch] bounds checking in send_file_readX

Jeremy Allison jra at samba.org
Mon Jul 9 00:41:04 GMT 2007


On Mon, Jul 09, 2007 at 02:36:42AM +0400, Dmitry Shatrov wrote:
> In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
> to an invalid large value due to integer overflow.
> As for me, this resulted in MS Word hanging while trying to save
> a 1.5Mb document.
> 
> Introduced by the following patch: 
> http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/smbd/reply.c?rev=22920&r1=22846&r2=22920
> 

> Index: source/smbd/reply.c
> ===================================================================
> --- source/smbd/reply.c	(revision 23750)
> +++ source/smbd/reply.c	(working copy)
> @@ -2590,6 +2590,7 @@
>  
>  	if (startpos > sbuf.st_size) {
>  		smb_maxcnt = 0;
> +		goto normal_read;
>  	}
>  
>  	if (smb_maxcnt > (sbuf.st_size - startpos)) {

Looks correct but I like this patch better (just a bit
clearer to me what's going on). Let me know if it fixes
it the same for you.

Thanks !

Jeremy.
-------------- next part --------------
Index: smbd/reply.c
===================================================================
--- smbd/reply.c	(revision 23751)
+++ smbd/reply.c	(working copy)
@@ -2590,9 +2590,7 @@
 
 	if (startpos > sbuf.st_size) {
 		smb_maxcnt = 0;
-	}
-
-	if (smb_maxcnt > (sbuf.st_size - startpos)) {
+	} else if (smb_maxcnt > (sbuf.st_size - startpos)) {
 		smb_maxcnt = (sbuf.st_size - startpos);
 	}
 


More information about the samba-technical mailing list