Check sizes of data entries in connections.tdb before deciding they're crecs...

We will need this when we use finer grained locking for max connections.
Jeremy.
(This used to be commit c6cd42a6791e26174eb795fd08ddbbd797e5a9cf)

4 files changed, 30 insertions, 7 deletions

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 3b45a9c305..b18cebf6cf 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -361,9 +361,13 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void
 	struct connections_data crec;
 	struct msg_all *msg_all = (struct msg_all *)state;
 
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum != -1) return 0;
+	if (crec.cnum != -1)
+		return 0;
 
 	/* if the msg send fails because the pid was not found (i.e. smbd died), 
 	 * the msg has already been deleted from the messages.tdb.*/
diff --git a/source3/smbd/connection.c b/source3/smbd/connection.c
index 47579fa5f7..5a3fcc2975 100644
--- a/source3/smbd/connection.c
+++ b/source3/smbd/connection.c
@@ -79,6 +79,9 @@ static int count_fn( TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *u
 	struct connections_data crec;
 	struct count_stat *cs = (struct count_stat *)udp;
  
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
  
 	if (crec.cnum == -1)
diff --git a/source3/utils/status.c b/source3/utils/status.c
index 243ccdd755..55c3c1bad1 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -186,9 +186,13 @@ static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *st
 	struct session_record *ptr;
 	struct connections_data crec;
 
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum == -1) return 0;
+	if (crec.cnum == -1)
+		return 0;
 
 	if (!process_exists(crec.pid) || !Ucrit_checkUsername(uidtoname(crec.uid))) {
 		return 0;
diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 27a40d1695..51f2e8f00e 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -1,6 +1,6 @@
 /* 
    Unix SMB/Netbios implementation.
-   Version 1.9.
+   Version 2.2.
    web status page
    Copyright (C) Andrew Tridgell 1997-1998
    
@@ -76,6 +76,10 @@ static void print_share_mode(share_mode_entry *e, char *fname)
 static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
 	if (crec.cnum == -1 && process_exists(crec.pid)) {
@@ -92,10 +96,14 @@ static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* st
 static int traverse_fn2(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 	
-	if (crec.cnum != -1 || !process_exists(crec.pid) ||
-	    (crec.pid == smbd_pid)) return 0;
+	if (crec.cnum != -1 || !process_exists(crec.pid) || (crec.pid == smbd_pid))
+		return 0;
 
 	printf("<tr><td>%d</td><td>%s</td><td>%s</td><td>%s</td>\n",
 	       (int)crec.pid,
@@ -114,9 +122,14 @@ static int traverse_fn2(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* st
 static int traverse_fn3(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum == -1 || !process_exists(crec.pid)) return 0;
+	if (crec.cnum == -1 || !process_exists(crec.pid))
+		return 0;
 
 	printf("<tr><td>%s</td><td>%s</td><td>%s</td><td>%d</td><td>%s</td><td>%s</td></tr>\n",
 	       crec.name,uidtoname(crec.uid),
@@ -278,4 +291,3 @@ void status_page(void)
 		printf("//-->\n</script>\n");
 	}
 }
-