diff options
| author | Andrew Tridgell <tridge@samba.org> | 1998-09-01 01:10:01 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 1998-09-01 01:10:01 +0000 |
| commit | a5f8955ccb875f8467a83c241abf2e58c2bb96f4 (patch) | |
| tree | 41737eca1403f66c5fdad29a0e7efb439c192c5a | |
| parent | 693480af8bb2d3e83566af9463ca427f47a879da (diff) | |
| download | samba-a5f8955ccb875f8467a83c241abf2e58c2bb96f4.tar.gz samba-a5f8955ccb875f8467a83c241abf2e58c2bb96f4.tar.bz2 samba-a5f8955ccb875f8467a83c241abf2e58c2bb96f4.zip | |
check that a valid pipe is passed before doing a pipe close.
I made this change after getting a segv in reply_pipe_close(). The
funny thing was that pipes_open was 1 and Pipes was NULL. That "can't
happen" and suggests that we have a wild pointer somewhere.
I suspect the rpc code, as I was playing with long share names (a
share called "averylongusername") at the time and the logs show lots
of srvsvc operations. I bet there is a buffer in the rpc code
somewhere that is overflowing and trashing bits of the data segment.
(This used to be commit 9fee8c2eb7bd05431cd9bcfbed3804c8ca1ee593)
| -rw-r--r-- | source3/smbd/pipes.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index fed5c2bd17..97df3abfc3 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -121,6 +121,8 @@ int reply_pipe_read_and_X(char *inbuf,char *outbuf,int length,int bufsize) char *data; BOOL ok = False; + if (!p) return(ERROR(ERRDOS,ERRbadfid)); + set_message(outbuf,12,0,True); data = smb_buf(outbuf); @@ -148,6 +150,8 @@ int reply_pipe_close(connection_struct *conn, char *inbuf,char *outbuf) pipes_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0); int outsize = set_message(outbuf,0,0,True); + if (!p) return(ERROR(ERRDOS,ERRbadfid)); + DEBUG(5,("reply_pipe_close: pnum:%x\n", p->pnum)); if (!close_rpc_pipe_hnd(p, conn)) return(ERROR(ERRDOS,ERRbadfid)); |