summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2011-08-11 16:52:22 +0200
committerVolker Lendecke <vlendec@samba.org>2011-08-14 08:48:58 +0200
commit1022c28e15acfc68aedc8b6853417d2f1f357f2a (patch)
tree8e1dfb49aeea01896ecfe35bcbbbccf79ac74b34 /source3/smbd
parentd2d2e7ab0228c1a753555f87d1d40743e366a00a (diff)
downloadsamba-1022c28e15acfc68aedc8b6853417d2f1f357f2a.tar.gz
samba-1022c28e15acfc68aedc8b6853417d2f1f357f2a.tar.bz2
samba-1022c28e15acfc68aedc8b6853417d2f1f357f2a.zip
s3: Fix bug 8360
OS/2 sends an unexpected write&x/read&x chain Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Aug 14 08:48:58 CEST 2011 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/process.c23
1 files changed, 16 insertions, 7 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index f542dcd84f..6d391df4e0 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2025,15 +2025,24 @@ void chain_reply(struct smb_request *req)
SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
/*
- * Check if the client tries to fool us. The request so far uses the
- * space to the end of the byte buffer in the request just
- * processed. The chain_offset can't point into that area. If that was
- * the case, we could end up with an endless processing of the chain,
- * we would always handle the same request.
+ * Check if the client tries to fool us. The chain offset
+ * needs to point beyond the current request in the chain, it
+ * needs to strictly grow. Otherwise we might be tricked into
+ * an endless loop always processing the same request over and
+ * over again. We used to assume that vwv and the byte buffer
+ * array in a chain are always attached, but OS/2 the
+ * Write&X/Read&X chain puts the Read&X vwv array right behind
+ * the Write&X vwv chain. The Write&X bcc array is put behind
+ * the Read&X vwv array. So now we check whether the chain
+ * offset points strictly behind the previous vwv
+ * array. req->buf points right after the vwv array of the
+ * previous request. See
+ * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
+ * information.
*/
- already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
- if (chain_offset < already_used) {
+ already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
+ if (chain_offset <= already_used) {
goto error;
}