summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-08-30 17:37:19 -0700
committerJeremy Allison <jra@samba.org>2011-08-31 21:18:11 +0200
commit786fe9fab223723e4d2340f285592b2a44945d73 (patch)
tree018330b8cb347076f7d4c9dea7630c852f8a02d2 /source3/smbd
parent726b4685aa25b0b3b4470bfec5d514fb2db7a95e (diff)
downloadsamba-786fe9fab223723e4d2340f285592b2a44945d73.tar.gz
samba-786fe9fab223723e4d2340f285592b2a44945d73.tar.bz2
samba-786fe9fab223723e4d2340f285592b2a44945d73.zip
Fix bug 8429 - Compound SMB2 requests on an IPC connection can corrupt the reply stream.
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Aug 31 21:18:11 CEST 2011 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_server.c29
1 files changed, 17 insertions, 12 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index d29b055b29..fa4801c377 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -904,7 +904,7 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
/* Don't return an intermediate packet on a pipe read/write. */
if (req->tcon && req->tcon->compat_conn && IS_IPC(req->tcon->compat_conn)) {
- return NT_STATUS_OK;
+ goto ipc_out;
}
reqhdr = (uint8_t *)req->out.vector[i].iov_base;
@@ -993,6 +993,8 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
/* Note we're going async with this request. */
req->async = true;
+ ipc_out:
+
/*
* Now manipulate req so that the outstanding async request
* is the only one left in the struct smbd_smb2_request.
@@ -1040,19 +1042,22 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
smb2_setup_nbt_length(req->out.vector,
req->out.vector_count);
- /* Ensure our final reply matches the interim one. */
- reqhdr = (uint8_t *)req->out.vector[1].iov_base;
- SIVAL(reqhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
- SBVAL(reqhdr, SMB2_HDR_PID, async_id);
+ if (req->async) {
+ /* Ensure our final reply matches the interim one. */
+ reqhdr = (uint8_t *)req->out.vector[1].iov_base;
+ SIVAL(reqhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
+ SBVAL(reqhdr, SMB2_HDR_PID, async_id);
- {
- const uint8_t *inhdr =
- (const uint8_t *)req->in.vector[1].iov_base;
- DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu "
- "going async\n",
- smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)),
- (unsigned long long)async_id ));
+ {
+ const uint8_t *inhdr =
+ (const uint8_t *)req->in.vector[1].iov_base;
+ DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu "
+ "going async\n",
+ smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)),
+ (unsigned long long)async_id ));
+ }
}
+
return NT_STATUS_OK;
}