Patches for bug 10422 - max xmit > 64kb leads in segmentation fault

Stefan (metze) Metzmacher metze at samba.org
Wed Mar 5 12:42:57 MST 2014 

Am 05.03.2014 19:51, schrieb Jeremy Allison:
> On Wed, Mar 05, 2014 at 02:49:57PM +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> here're patches for https://bugzilla.samba.org/show_bug.cgi?id=10422
> 
> LGTM except for :
> 
> --------------------------------------------------------------
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Mar 4 14:07:26 2014 +0100
> 
>     s3:smbd: fix the read numtoread calculation depending on the max_send.
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> index 4ca5f7d..47413a5 100644
> --- a/source3/smbd/reply.c
> +++ b/source3/smbd/reply.c
> @@ -3569,6 +3569,7 @@ void reply_read(struct smb_request *req)
>  {
>         connection_struct *conn = req->conn;
>         size_t numtoread;
> +       size_t maxtoread;
>         ssize_t nread = 0;
>         char *data;
>         off_t startpos;
> @@ -3601,17 +3602,17 @@ void reply_read(struct smb_request *req)
>         numtoread = SVAL(req->vwv+1, 0);
>         startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
>  
> -       numtoread = MIN(BUFFER_SIZE-outsize,numtoread);
> -
>         /*
> -        * The requested read size cannot be greater than max_recv. JRA.
> +        * The requested read size cannot be greater than max_send. JRA.
>          */
> -       if (numtoread > sconn->smb1.negprot.max_recv) {
> -               DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u). \
> +       maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
> +
> +       if (numtoread > maxtoread) {
> +               DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \
>  Returning short read of maximum allowed for compatibility with Windows 2000.\n",
> -                       (unsigned int)numtoread,
> -                       (unsigned int)sconn->smb1.negprot.max_recv));
> -               numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv);
> +                       (unsigned int)numtoread, (unsigned int)maxtoread,
> +                       (unsigned int)sconn->smb1.sessions.max_send));
> +               numtoread = maxtoread;
>         }
>  
>         reply_outbuf(req, 5, numtoread+3);
> --------------------------------------------------------------
> 
> This removes the last use of the variable outsize
> (which was set to zero and therefore essentially useless
> anyway :-) so creating a "unused variable" warning.
> 
> Fixed version of this specific change attached.
> 
> Metze, if you're OK with the change I'll push
> all of them with my Reviewed-by:

Yes, thanks!

metze

More information about the samba-technical mailing list