summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-11-02 22:01:11 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:05:21 -0500
commitacb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea (patch)
treefc172c72d1054eb73d37549a4bc8b0c7d32cca14
parentbd6bc9c5ee434793686981413c14646a06cf092f (diff)
downloadsamba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.tar.gz
samba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.tar.bz2
samba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.zip
r3493: fixed a bug in readx reply where the client specifies an invalid high
part of the maxcnt. This caused an allocation failure and server exit. Note: we need to go back over all the places in the core smb_server that can cause allocation failures based on user input and fix them to instead produce a SMB error. Thanks to Susan for finding this bug. (This used to be commit 4aed1b7921a3bfef460f8602467ac0dca9561032)
-rw-r--r--source4/smb_server/reply.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/smb_server/reply.c b/source4/smb_server/reply.c
index eb75ab08c7..9c7d027f4a 100644
--- a/source4/smb_server/reply.c
+++ b/source4/smb_server/reply.c
@@ -892,8 +892,14 @@ void reply_read_and_X(struct smbsrv_request *req)
io->readx.in.offset = IVAL(req->in.vwv, VWV(3));
io->readx.in.maxcnt = SVAL(req->in.vwv, VWV(5));
io->readx.in.mincnt = SVAL(req->in.vwv, VWV(6));
- io->readx.in.maxcnt |= IVAL(req->in.vwv, VWV(7)) << 16;
io->readx.in.remaining = SVAL(req->in.vwv, VWV(9));
+
+ if (req->smb_conn->negotiate.client_caps & CAP_LARGE_READX) {
+ uint32_t high_part = IVAL(req->in.vwv, VWV(7));
+ if (high_part == 1) {
+ io->readx.in.maxcnt |= high_part << 16;
+ }
+ }
/* the 64 bit variant */
if (req->in.wct == 12) {