summaryrefslogtreecommitdiff
path: root/source3/smbd/smb2_find.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-04-29 13:40:25 -0700
committerJeremy Allison <jra@samba.org>2010-04-29 13:40:25 -0700
commit1f69a7a80eb9057498a4805b883158dc1ce25901 (patch)
treebf7925808d94b6749ecbd613975e4db6e45f7bcc /source3/smbd/smb2_find.c
parentca860e4279a247a852f55d5226f916d1e956820a (diff)
downloadsamba-1f69a7a80eb9057498a4805b883158dc1ce25901.tar.gz
samba-1f69a7a80eb9057498a4805b883158dc1ce25901.tar.bz2
samba-1f69a7a80eb9057498a4805b883158dc1ce25901.zip
Attempt to fix bug #7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
Based on an initial patch from Ira Cooper <samba@ira.wakeful.net>. Jeremy.
Diffstat (limited to 'source3/smbd/smb2_find.c')
-rw-r--r--source3/smbd/smb2_find.c26
1 files changed, 22 insertions, 4 deletions
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 546aed8db3..66be7562e8 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -89,6 +89,17 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
+ /* The output header is 8 bytes. */
+ if (in_output_buffer_length <= 8) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
+ DEBUG(10,("smbd_smb2_request_find_done: in_output_buffer_length = %u\n",
+ (unsigned int)in_output_buffer_length ));
+
+ /* Take into account the output header. */
+ in_output_buffer_length -= 8;
+
in_file_name_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
in_file_name_buffer.length = in_file_name_length;
@@ -172,6 +183,9 @@ static void smbd_smb2_request_find_done(struct tevent_req *subreq)
SIVAL(outbody.data, 0x04,
out_output_buffer.length); /* output buffer length */
+ DEBUG(10,("smbd_smb2_request_find_done: out_output_buffer.length = %u\n",
+ (unsigned int)out_output_buffer.length ));
+
outdyn = out_output_buffer;
error = smbd_smb2_request_done(req, outbody, &outdyn);
@@ -210,7 +224,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
char *base_data;
char *end_data;
int last_entry_off = 0;
- uint64_t off = 0;
+ int off = 0;
uint32_t num = 0;
uint32_t dirtype = aHIDDEN | aSYSTEM | aDIR;
const char *directory;
@@ -364,8 +378,10 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
off = 0;
num = 0;
- DEBUG(8,("smbd_smb2_find_send: dirpath=<%s> dontdescend=<%s>\n",
- directory, lp_dontdescend(SNUM(conn))));
+ DEBUG(8,("smbd_smb2_find_send: dirpath=<%s> dontdescend=<%s>, "
+ "in_output_buffer_length = %u\n",
+ directory, lp_dontdescend(SNUM(conn)),
+ (unsigned int)in_output_buffer_length ));
if (in_list(directory,lp_dontdescend(SNUM(conn)),conn->case_sensitive)) {
dont_descend = true;
}
@@ -380,6 +396,8 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
bool out_of_space = false;
int space_remaining = in_output_buffer_length - off;
+ SMB_ASSERT(space_remaining >= 0);
+
ok = smbd_dirptr_lanman2_entry(state,
conn,
fsp->dptr,
@@ -401,7 +419,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
&last_entry_off,
NULL);
- off = PTR_DIFF(pdata, base_data);
+ off = (int)PTR_DIFF(pdata, base_data);
if (!ok) {
if (num > 0) {
generated by cgit (git 2.34.1) at 2024-06-02 11:12:44 +0000