Patches for bug 10422 - max xmit > 64kb leads in segmentation fault
Jeremy Allison
jra at samba.org
Wed Mar 5 11:51:26 MST 2014
On Wed, Mar 05, 2014 at 02:49:57PM +0100, Stefan (metze) Metzmacher wrote:
> Hi,
>
> here're patches for https://bugzilla.samba.org/show_bug.cgi?id=10422
LGTM except for :
--------------------------------------------------------------
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 4 14:07:26 2014 +0100
s3:smbd: fix the read numtoread calculation depending on the max_send.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 4ca5f7d..47413a5 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3569,6 +3569,7 @@ void reply_read(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtoread;
+ size_t maxtoread;
ssize_t nread = 0;
char *data;
off_t startpos;
@@ -3601,17 +3602,17 @@ void reply_read(struct smb_request *req)
numtoread = SVAL(req->vwv+1, 0);
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
- numtoread = MIN(BUFFER_SIZE-outsize,numtoread);
-
/*
- * The requested read size cannot be greater than max_recv. JRA.
+ * The requested read size cannot be greater than max_send. JRA.
*/
- if (numtoread > sconn->smb1.negprot.max_recv) {
- DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u). \
+ maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
+
+ if (numtoread > maxtoread) {
+ DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \
Returning short read of maximum allowed for compatibility with Windows 2000.\n",
- (unsigned int)numtoread,
- (unsigned int)sconn->smb1.negprot.max_recv));
- numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv);
+ (unsigned int)numtoread, (unsigned int)maxtoread,
+ (unsigned int)sconn->smb1.sessions.max_send));
+ numtoread = maxtoread;
}
reply_outbuf(req, 5, numtoread+3);
--------------------------------------------------------------
This removes the last use of the variable outsize
(which was set to zero and therefore essentially useless
anyway :-) so creating a "unused variable" warning.
Fixed version of this specific change attached.
Metze, if you're OK with the change I'll push
all of them with my Reviewed-by:
Cheers,
Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod.diff
Type: text/x-diff
Size: 1996 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140305/d2b28f24/attachment.diff>
More information about the samba-technical
mailing list