Patches for bug 10422 - max xmit > 64kb leads in segmentation fault
Stefan (metze) Metzmacher
metze at samba.org
Wed Mar 5 12:42:57 MST 2014
Am 05.03.2014 19:51, schrieb Jeremy Allison:
> On Wed, Mar 05, 2014 at 02:49:57PM +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> here're patches for https://bugzilla.samba.org/show_bug.cgi?id=10422
>
> LGTM except for :
>
> --------------------------------------------------------------
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Tue Mar 4 14:07:26 2014 +0100
>
> s3:smbd: fix the read numtoread calculation depending on the max_send.
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> index 4ca5f7d..47413a5 100644
> --- a/source3/smbd/reply.c
> +++ b/source3/smbd/reply.c
> @@ -3569,6 +3569,7 @@ void reply_read(struct smb_request *req)
> {
> connection_struct *conn = req->conn;
> size_t numtoread;
> + size_t maxtoread;
> ssize_t nread = 0;
> char *data;
> off_t startpos;
> @@ -3601,17 +3602,17 @@ void reply_read(struct smb_request *req)
> numtoread = SVAL(req->vwv+1, 0);
> startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
>
> - numtoread = MIN(BUFFER_SIZE-outsize,numtoread);
> -
> /*
> - * The requested read size cannot be greater than max_recv. JRA.
> + * The requested read size cannot be greater than max_send. JRA.
> */
> - if (numtoread > sconn->smb1.negprot.max_recv) {
> - DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u). \
> + maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
> +
> + if (numtoread > maxtoread) {
> + DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \
> Returning short read of maximum allowed for compatibility with Windows 2000.\n",
> - (unsigned int)numtoread,
> - (unsigned int)sconn->smb1.negprot.max_recv));
> - numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv);
> + (unsigned int)numtoread, (unsigned int)maxtoread,
> + (unsigned int)sconn->smb1.sessions.max_send));
> + numtoread = maxtoread;
> }
>
> reply_outbuf(req, 5, numtoread+3);
> --------------------------------------------------------------
>
> This removes the last use of the variable outsize
> (which was set to zero and therefore essentially useless
> anyway :-) so creating a "unused variable" warning.
>
> Fixed version of this specific change attached.
>
> Metze, if you're OK with the change I'll push
> all of them with my Reviewed-by:
Yes, thanks!
metze
More information about the samba-technical
mailing list