diff options
author | Andrew Tridgell <tridge@samba.org> | 2000-04-11 13:55:53 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2000-04-11 13:55:53 +0000 |
commit | 2fa922611bf7160e2c1ce80c11b50006448bf98d (patch) | |
tree | ed29a6f6c0364ee631b049b26031139b9e74a4ec /source3/smbd/reply.c | |
parent | 03630a9aa9ce5c00619ad3c4bb498d95054ae03a (diff) | |
download | samba-2fa922611bf7160e2c1ce80c11b50006448bf98d.tar.gz samba-2fa922611bf7160e2c1ce80c11b50006448bf98d.tar.bz2 samba-2fa922611bf7160e2c1ce80c11b50006448bf98d.zip |
finally got sick of the "extern int Client" code and the stupid
assumption that we have one socket everywhere
while doing so I discovered a few bugs!
1) the clientgen session retarget code if used from smbd or nmbd would
cause a crash as it called close_sockets() which closed our main
socket! fixed by removing close_sockets() completely - it is unnecessary
2) the caching in client_addr() and client_name() was bogus - it could
easily get fooled and give the wrong result. fixed.
3) the retarget could could recurse, allowing an easy denial of
service attack on nmbd. fixed.
(This used to be commit 5937ab14d222696e40a3fc6f0e6a536f2d7305d3)
Diffstat (limited to 'source3/smbd/reply.c')
-rw-r--r-- | source3/smbd/reply.c | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 81d3ef32b3..3ada28364b 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -40,7 +40,6 @@ extern BOOL short_case_preserve; extern pstring sesssetup_user; extern pstring global_myname; extern fstring global_myworkgroup; -extern int Client; extern int global_oplock_break; uint32 global_client_caps = 0; unsigned int smb_echo_count = 0; @@ -55,7 +54,7 @@ static void overflow_attack(int len) dbgtext( "ERROR: Invalid password length %d.\n", len ); dbgtext( "Your machine may be under attack by someone " ); dbgtext( "attempting to exploit an old bug.\n" ); - dbgtext( "Attack was from IP = %s.\n", client_addr(Client) ); + dbgtext( "Attack was from IP = %s.\n", client_addr() ); } exit_server("possible attack"); } @@ -2048,7 +2047,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s if(global_oplock_break) { _smb_setlen(header,0); - transfer_file(0,Client,(SMB_OFF_T)0,header,4,0); + transfer_file(0,smbd_server_fd(),(SMB_OFF_T)0,header,4,0); DEBUG(5,("readbraw - oplock break finished\n")); return -1; } @@ -2061,7 +2060,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s */ DEBUG(3,("fnum %d not open in readbraw - cache prime?\n",(int)SVAL(inbuf,smb_vwv0))); _smb_setlen(header,0); - transfer_file(0,Client,(SMB_OFF_T)0,header,4,0); + transfer_file(0,smbd_server_fd(),(SMB_OFF_T)0,header,4,0); return(-1); } @@ -2088,7 +2087,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s DEBUG(0,("readbraw - large offset (%x << 32) used and we don't support \ 64 bit offsets.\n", (unsigned int)IVAL(inbuf,smb_vwv8) )); _smb_setlen(header,0); - transfer_file(0,Client,(SMB_OFF_T)0,header,4,0); + transfer_file(0,smbd_server_fd(),(SMB_OFF_T)0,header,4,0); return(-1); } @@ -2098,7 +2097,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s DEBUG(0,("readbraw - negative 64 bit readraw offset (%.0f) !\n", (double)startpos )); _smb_setlen(header,0); - transfer_file(0,Client,(SMB_OFF_T)0,header,4,0); + transfer_file(0,smbd_server_fd(),(SMB_OFF_T)0,header,4,0); return(-1); } } @@ -2167,7 +2166,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s if (ret < mincount) ret = 0; _smb_setlen(header,ret); - transfer_file(0,Client,0,header,4+ret,0); + transfer_file(0,smbd_server_fd(),0,header,4+ret,0); #endif /* UNSAFE_READRAW */ DEBUG(5,("readbraw finished\n")); @@ -2403,10 +2402,10 @@ int reply_writebraw(connection_struct *conn, char *inbuf,char *outbuf, int size, CVAL(outbuf,smb_com) = SMBwritebraw; SSVALS(outbuf,smb_vwv0,-1); outsize = set_message(outbuf,Protocol>PROTOCOL_COREPLUS?1:0,0,True); - send_smb(Client,outbuf); + send_smb(smbd_server_fd(),outbuf); /* Now read the raw data into the buffer and write it */ - if (read_smb_length(Client,inbuf,SMB_SECONDARY_WAIT) == -1) { + if (read_smb_length(smbd_server_fd(),inbuf,SMB_SECONDARY_WAIT) == -1) { exit_server("secondary writebraw failed"); } @@ -2419,7 +2418,7 @@ int reply_writebraw(connection_struct *conn, char *inbuf,char *outbuf, int size, (int)tcount,(int)nwritten,(int)numtowrite)); } - nwritten = vfs_transfer_file(Client, NULL, -1, fsp, + nwritten = vfs_transfer_file(smbd_server_fd(), NULL, -1, fsp, (SMB_OFF_T)numtowrite,NULL,0, startpos+nwritten); total_written += nwritten; @@ -3002,7 +3001,7 @@ int reply_echo(connection_struct *conn, smb_setlen(outbuf,outsize - 4); - send_smb(Client,outbuf); + send_smb(smbd_server_fd(),outbuf); } DEBUG(3,("echo %d times\n", smb_reverb)); @@ -4346,7 +4345,7 @@ int reply_readbmpx(connection_struct *conn, char *inbuf,char *outbuf,int length, SSVAL(outbuf,smb_vwv6,nread); SSVAL(outbuf,smb_vwv7,smb_offset(data,outbuf)); - send_smb(Client,outbuf); + send_smb(smbd_server_fd(),outbuf); total_read += nread; startpos += nread; @@ -4437,7 +4436,7 @@ int reply_writebmpx(connection_struct *conn, char *inbuf,char *outbuf, int size, if (write_through && tcount==nwritten) { /* we need to send both a primary and a secondary response */ smb_setlen(outbuf,outsize - 4); - send_smb(Client,outbuf); + send_smb(smbd_server_fd(),outbuf); /* now the secondary */ outsize = set_message(outbuf,1,0,True); |