diff options
| author | Jeremy Allison <jra@samba.org> | 2007-11-08 15:13:41 -0800 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2007-11-08 15:13:41 -0800 |
| commit | 976b0ec487720982e456f8c3634be3df64882dae (patch) | |
| tree | f7a9883ae8988f42ef98aa612e433e0c9613a03b /source3/smbd | |
| parent | e501c0cd44116ee6e42c14100fea526558c37cb2 (diff) | |
| parent | 128fa582a62ad3e145c2bda93e4f939d5f62885f (diff) | |
| download | samba-976b0ec487720982e456f8c3634be3df64882dae.tar.gz samba-976b0ec487720982e456f8c3634be3df64882dae.tar.bz2 samba-976b0ec487720982e456f8c3634be3df64882dae.zip | |
Merge branch 'v3-2-test' of ssh://jra@git.samba.org/data/git/samba into v3-2-test
(This used to be commit d9335456d23271a4b15b97d24f1b263700a3b9df)
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/oplock_irix.c | 4 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 22 |
2 files changed, 22 insertions, 4 deletions
diff --git a/source3/smbd/oplock_irix.c b/source3/smbd/oplock_irix.c index b8d49f03a1..a4ea63bc0a 100644 --- a/source3/smbd/oplock_irix.c +++ b/source3/smbd/oplock_irix.c @@ -121,7 +121,7 @@ static files_struct *irix_oplock_receive_message(fd_set *fds) DEBUG(0,("irix_oplock_receive_message: read of kernel " "notification failed. Error was %s.\n", strerror(errno) )); - set_smb_read_error(SMB_READ_ERROR); + set_smb_read_error(get_srv_read_error(), SMB_READ_ERROR); return NULL; } @@ -141,7 +141,7 @@ static files_struct *irix_oplock_receive_message(fd_set *fds) */ return NULL; } - set_smb_read_error(SMB_READ_ERROR); + set_smb_read_error(get_srv_read_error(), SMB_READ_ERROR); return NULL; } diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 1b36fb1e44..45081808e1 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3856,16 +3856,24 @@ bool is_valid_writeX_buffer(const char *inbuf) unsigned int doff = 0; size_t len = smb_len_large(inbuf); - if (CVAL(inbuf,smb_com) != SMBwriteX || - CVAL(inbuf,smb_vwv0) != 0xFF || + if (CVAL(inbuf,smb_com) != SMBwriteX) { + return false; + } + + if (CVAL(inbuf,smb_vwv0) != 0xFF || CVAL(inbuf,smb_wct) != 14) { + DEBUG(10,("is_valid_writeX_buffer: chained or " + "invalid word length.\n")); return false; } + conn = conn_find(SVAL(inbuf, smb_tid)); if (conn == NULL) { + DEBUG(10,("is_valid_writeX_buffer: bad tid\n")); return false; } if (IS_IPC(conn)) { + DEBUG(10,("is_valid_writeX_buffer: IPC$ tid\n")); return false; } doff = SVAL(inbuf,smb_vwv11); @@ -3877,12 +3885,16 @@ bool is_valid_writeX_buffer(const char *inbuf) } if (numtowrite == 0) { + DEBUG(10,("is_valid_writeX_buffer: zero write\n")); return false; } /* Ensure the sizes match up. */ if (doff < STANDARD_WRITE_AND_X_HEADER_SIZE) { /* no pad byte...old smbclient :-( */ + DEBUG(10,("is_valid_writeX_buffer: small doff %u (min %u)\n", + (unsigned int)doff, + (unsigned int)STANDARD_WRITE_AND_X_HEADER_SIZE)); return false; } @@ -3939,6 +3951,12 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) } if (req->unread_bytes) { + /* Can't do a recvfile write on IPC$ */ + if (IS_IPC(conn)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteX); + return; + } if (numtowrite != req->unread_bytes) { reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); |