summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-12-27 18:51:09 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:16:44 -0500
commitae7526fd55741ecbb0bd90d47a18578f0baafe87 (patch)
tree935834c33b93a9fabf8ef8191e8ccc359d6792ac /source3/smbd
parentbc112cc46d9dacf2d1cb105d99e1e01ec38c5fa6 (diff)
downloadsamba-ae7526fd55741ecbb0bd90d47a18578f0baafe87.tar.gz
samba-ae7526fd55741ecbb0bd90d47a18578f0baafe87.tar.bz2
samba-ae7526fd55741ecbb0bd90d47a18578f0baafe87.zip
r20362: Fix valgrind issues where we may read params
before checking length. Found by Volker. Jeremy. (This used to be commit 683c5fce6896236a60145f6d3970566503c39163)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/trans2.c58
1 files changed, 41 insertions, 17 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 9f22f65e34..9b6a175a9a 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1640,13 +1640,13 @@ static int call_trans2findfirst(connection_struct *conn, char *inbuf, char *outb
requested. */
char *params = *pparams;
char *pdata = *ppdata;
- uint32 dirtype = SVAL(params,0);
- int maxentries = SVAL(params,2);
- uint16 findfirst_flags = SVAL(params,4);
- BOOL close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
- BOOL close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
- BOOL requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
- int info_level = SVAL(params,6);
+ uint32 dirtype;
+ int maxentries;
+ uint16 findfirst_flags;
+ BOOL close_after_first;
+ BOOL close_if_end;
+ BOOL requires_resume_key;
+ int info_level;
pstring directory;
pstring mask;
char *p;
@@ -1669,6 +1669,14 @@ static int call_trans2findfirst(connection_struct *conn, char *inbuf, char *outb
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
+ dirtype = SVAL(params,0);
+ maxentries = SVAL(params,2);
+ findfirst_flags = SVAL(params,4);
+ close_after_first = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE);
+ close_if_end = (findfirst_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+ requires_resume_key = (findfirst_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+ info_level = SVAL(params,6);
+
*directory = *mask = 0;
DEBUG(3,("call_trans2findfirst: dirtype = %x, maxentries = %d, close_after_first=%d, \
@@ -1908,15 +1916,15 @@ static int call_trans2findnext(connection_struct *conn, char *inbuf, char *outbu
requested. */
char *params = *pparams;
char *pdata = *ppdata;
- int dptr_num = SVAL(params,0);
- int maxentries = SVAL(params,2);
- uint16 info_level = SVAL(params,4);
- uint32 resume_key = IVAL(params,6);
- uint16 findnext_flags = SVAL(params,10);
- BOOL close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
- BOOL close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
- BOOL requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
- BOOL continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+ int dptr_num;
+ int maxentries;
+ uint16 info_level;
+ uint32 resume_key;
+ uint16 findnext_flags;
+ BOOL close_after_request;
+ BOOL close_if_end;
+ BOOL requires_resume_key;
+ BOOL continue_bit;
BOOL mask_contains_wcard = False;
pstring resume_name;
pstring mask;
@@ -1937,6 +1945,16 @@ static int call_trans2findnext(connection_struct *conn, char *inbuf, char *outbu
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
+ dptr_num = SVAL(params,0);
+ maxentries = SVAL(params,2);
+ info_level = SVAL(params,4);
+ resume_key = IVAL(params,6);
+ findnext_flags = SVAL(params,10);
+ close_after_request = (findnext_flags & FLAG_TRANS2_FIND_CLOSE);
+ close_if_end = (findnext_flags & FLAG_TRANS2_FIND_CLOSE_IF_END);
+ requires_resume_key = (findnext_flags & FLAG_TRANS2_FIND_REQUIRE_RESUME);
+ continue_bit = (findnext_flags & FLAG_TRANS2_FIND_CONTINUE);
+
*mask = *directory = *resume_name = 0;
srvstr_get_path_wcard(inbuf, resume_name, params+12, sizeof(resume_name), -1, STR_TERMINATE, &ntstatus, &mask_contains_wcard);
@@ -2174,7 +2192,7 @@ static int call_trans2qfsinfo(connection_struct *conn, char *inbuf, char *outbuf
{
char *pdata = *ppdata;
char *params = *pparams;
- uint16 info_level = SVAL(params,0);
+ uint16 info_level;
int data_len, len;
SMB_STRUCT_STAT st;
char *vname = volume_label(SNUM(conn));
@@ -2182,6 +2200,12 @@ static int call_trans2qfsinfo(connection_struct *conn, char *inbuf, char *outbuf
char *fstype = lp_fstype(SNUM(conn));
int quota_flag = 0;
+ if (total_params < 2) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ info_level = SVAL(params,0);
+
DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level));
if(SMB_VFS_STAT(conn,".",&st)!=0) {