Patches for bug 10422 - max xmit > 64kb leads in segmentation fault

Jeremy Allison jra at samba.org
Wed Mar 5 11:51:26 MST 2014 

On Wed, Mar 05, 2014 at 02:49:57PM +0100, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> here're patches for https://bugzilla.samba.org/show_bug.cgi?id=10422

LGTM except for :

--------------------------------------------------------------
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 4 14:07:26 2014 +0100

    s3:smbd: fix the read numtoread calculation depending on the max_send.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 4ca5f7d..47413a5 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3569,6 +3569,7 @@ void reply_read(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        size_t numtoread;
+       size_t maxtoread;
        ssize_t nread = 0;
        char *data;
        off_t startpos;
@@ -3601,17 +3602,17 @@ void reply_read(struct smb_request *req)
        numtoread = SVAL(req->vwv+1, 0);
        startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
 
-       numtoread = MIN(BUFFER_SIZE-outsize,numtoread);
-
        /*
-        * The requested read size cannot be greater than max_recv. JRA.
+        * The requested read size cannot be greater than max_send. JRA.
         */
-       if (numtoread > sconn->smb1.negprot.max_recv) {
-               DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u). \
+       maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
+
+       if (numtoread > maxtoread) {
+               DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \
 Returning short read of maximum allowed for compatibility with Windows 2000.\n",
-                       (unsigned int)numtoread,
-                       (unsigned int)sconn->smb1.negprot.max_recv));
-               numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv);
+                       (unsigned int)numtoread, (unsigned int)maxtoread,
+                       (unsigned int)sconn->smb1.sessions.max_send));
+               numtoread = maxtoread;
        }
 
        reply_outbuf(req, 5, numtoread+3);
--------------------------------------------------------------

This removes the last use of the variable outsize
(which was set to zero and therefore essentially useless
anyway :-) so creating a "unused variable" warning.

Fixed version of this specific change attached.

Metze, if you're OK with the change I'll push
all of them with my Reviewed-by:

Cheers,

	Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod.diff
Type: text/x-diff
Size: 1996 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140305/d2b28f24/attachment.diff>

More information about the samba-technical mailing list