There are tests all over the SMB1 code to check that srv_send_smb fails, but it never returns false

Mon Jul 22 17:04:18 MDT 2013

On Fri, Jul 19, 2013 at 05:02:32PM -0700, Richard Sharpe wrote:
> On Fri, Jul 19, 2013 at 12:57 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > Hi folks,
> >
> > We see the following code in srv_send_smb (even in master):
> >
> >         ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
> >         if (ret <= 0) {
> >
> >                 char addr[INET6_ADDRSTRLEN];
> >                 /*
> >                  * Try and give an error message saying what
> >                  * client failed.
> >                  */
> >                 DEBUG(1,("pid[%d] Error writing %d bytes to client %s.
> > %d. (%s)\n",
> >                          (int)sys_getpid(), (int)len,
> >                          get_peer_addr(sconn->sock, addr, sizeof(addr)),
> >                          (int)ret, strerror(errno) ));
> >
> >                 srv_free_enc_buffer(buf_out);
> >                 goto out;
> >         }
> >
> >         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
> >         srv_free_enc_buffer(buf_out);
> > out:
> >         SMB_PERFCOUNT_END(pcd);
> >
> >         smbd_unlock_socket(sconn);
> >         return true;
> > }
> >
> > Even if the write to the socket/fd fails, we never return false and
> > will keep reading stuff off of the input buffer until it is exhausted
> > and then we will exit. That seems somewhat incorrect.
> 
> I think this is the fix:
> 
> diff --git a/source3/smbd/process.c b/source3/smbd/process.c
> index 5ef0fd3..210a281 100644
> --- a/source3/smbd/process.c
> +++ b/source3/smbd/process.c
> @@ -194,7 +194,7 @@ out:
>         SMB_PERFCOUNT_END(pcd);
> 
>         smbd_unlock_socket(sconn);
> -       return true;
> +       return ret > 0;
>  }

Yep, looks correct to me.

Jeremy