There are tests all over the SMB1 code to check that srv_send_smb fails, but it never returns false
Richard Sharpe
realrichardsharpe at gmail.com
Fri Jul 19 18:02:32 MDT 2013
On Fri, Jul 19, 2013 at 12:57 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
>
> We see the following code in srv_send_smb (even in master):
>
> ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
> if (ret <= 0) {
>
> char addr[INET6_ADDRSTRLEN];
> /*
> * Try and give an error message saying what
> * client failed.
> */
> DEBUG(1,("pid[%d] Error writing %d bytes to client %s.
> %d. (%s)\n",
> (int)sys_getpid(), (int)len,
> get_peer_addr(sconn->sock, addr, sizeof(addr)),
> (int)ret, strerror(errno) ));
>
> srv_free_enc_buffer(buf_out);
> goto out;
> }
>
> SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
> srv_free_enc_buffer(buf_out);
> out:
> SMB_PERFCOUNT_END(pcd);
>
> smbd_unlock_socket(sconn);
> return true;
> }
>
> Even if the write to the socket/fd fails, we never return false and
> will keep reading stuff off of the input buffer until it is exhausted
> and then we will exit. That seems somewhat incorrect.
I think this is the fix:
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 5ef0fd3..210a281 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -194,7 +194,7 @@ out:
SMB_PERFCOUNT_END(pcd);
smbd_unlock_socket(sconn);
- return true;
+ return ret > 0;
}
/*******************************************************************
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: process.c.patch
Type: application/octet-stream
Size: 338 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130719/a145d1ce/attachment.obj>
More information about the samba-technical
mailing list