diff options
author | Volker Lendecke <vlendec@samba.org> | 2006-05-27 21:38:54 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:17:13 -0500 |
commit | 263b01ecb9a09c80c3b519c5ec4e52437ace9da0 (patch) | |
tree | 62a07a90177d0cf19ba2b692d9881a056a840541 | |
parent | c334de0435419e5105c2aba269d169f9ebf12498 (diff) | |
download | samba-263b01ecb9a09c80c3b519c5ec4e52437ace9da0.tar.gz samba-263b01ecb9a09c80c3b519c5ec4e52437ace9da0.tar.bz2 samba-263b01ecb9a09c80c3b519c5ec4e52437ace9da0.zip |
r15911: Make us survive rpc-authcontext committed next
(This used to be commit c24bfdce625782637b5f4d11a5117ef795ddfc2f)
-rw-r--r-- | source3/smbd/ipc.c | 6 | ||||
-rw-r--r-- | source3/smbd/pipes.c | 10 |
2 files changed, 16 insertions, 0 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 7f9505606c..3250387909 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -291,6 +291,12 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, return ERROR_NT(NT_STATUS_INVALID_HANDLE); } + if (vuid != p->vuid) { + DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, " + "expected %d\n", pnum, vuid, p->vuid)); + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n", subcommand, p->name, pnum)); /* record maximum data length that can be transmitted in an SMBtrans */ diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index 12f3d180b1..2d90383706 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -121,6 +121,7 @@ int reply_open_pipe_and_X(connection_struct *conn, int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) { smb_np_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0); + uint16 vuid = SVAL(inbuf,smb_uid); size_t numtowrite = SVAL(inbuf,smb_vwv1); int nwritten; int outsize; @@ -130,6 +131,10 @@ int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) return(ERROR_DOS(ERRDOS,ERRbadfid)); } + if (p->vuid != vuid) { + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + data = smb_buf(inbuf) + 3; if (numtowrite == 0) { @@ -161,6 +166,7 @@ int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) { smb_np_struct *p = get_rpc_pipe_p(inbuf,smb_vwv2); + uint16 vuid = SVAL(inbuf,smb_uid); size_t numtowrite = SVAL(inbuf,smb_vwv10); int nwritten = -1; int smb_doff = SVAL(inbuf, smb_vwv11); @@ -172,6 +178,10 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) return(ERROR_DOS(ERRDOS,ERRbadfid)); } + if (p->vuid != vuid) { + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + data = smb_base(inbuf) + smb_doff; if (numtowrite == 0) { |