summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-08-05 20:23:12 +1000
committerAndrew Tridgell <tridge@samba.org>2009-08-05 20:24:01 +1000
commit3854b5e6146ff8efeb4379a502bb083cbaa05ce4 (patch)
treeef46deaa2dadf39bba7b9da8a181520b3ac52db9
parent67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44 (diff)
downloadsamba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.tar.gz
samba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.tar.bz2
samba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.zip
changed BCC handling for SMBwriteX to handle broken MacOSX client
see bug #6610 The MacOSX SMB client sets the BCC value in SMBwriteX calls to zero instead of the correct size. Checking against WindowsXP, I've found that Windows uses the maximum of the computed buffer size and the given BCC value. I've changed Samba4 to do the same to allow MacOSX to work. I've limited this change to non-chained packets to ensure we don't get the possibility of exploits based on overlapping chained requests
-rw-r--r--source4/smb_server/smb/receive.c21
1 files changed, 8 insertions, 13 deletions
diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c
index 03631f8f0b..9a039095e6 100644
--- a/source4/smb_server/smb/receive.c
+++ b/source4/smb_server/smb/receive.c
@@ -407,19 +407,14 @@ NTSTATUS smbsrv_recv_smb_request(void *private_data, DATA_BLOB blob)
req->in.data = req->in.vwv + VWV(req->in.wct) + 2;
req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct));
- /* the bcc length is only 16 bits, but some packets
- (such as SMBwriteX) can be much larger than 64k. We
- detect this by looking for a large non-chained NBT
- packet (at least 64k bigger than what is
- specified). If it is detected then the NBT size is
- used instead of the bcc size */
- if (req->in.data_size + 0x10000 <=
- req->in.size - PTR_DIFF(req->in.data, req->in.buffer) &&
- ( message_flags(command) & LARGE_REQUEST) &&
- ( !(message_flags(command) & AND_X) ||
- (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE) )
- ) {
- /* its an oversized packet! fun for all the family */
+ /* special handling for oversize calls. Windows seems
+ to take the maximum of the BCC value and the
+ computed buffer size. This handles oversized writeX
+ calls, and possibly oversized SMBtrans calls */
+ if ((message_flags(command) & LARGE_REQUEST) &&
+ ( !(message_flags(command) & AND_X) ||
+ (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) &&
+ req->in.data_size < req->in.size - PTR_DIFF(req->in.data,req->in.buffer)) {
req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer);
}
}