diff options
author | Jeremy Allison <jra@samba.org> | 2001-05-24 19:28:22 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2001-05-24 19:28:22 +0000 |
commit | 9ff6634db923da17b0946141abf3ce7df61a0dab (patch) | |
tree | 229410ba018228a830faa7128b3dd5b0e22ba8b0 /source3/smbd | |
parent | 00cdd8cfa2cadb89c4502b061d9889998025ab9a (diff) | |
download | samba-9ff6634db923da17b0946141abf3ce7df61a0dab.tar.gz samba-9ff6634db923da17b0946141abf3ce7df61a0dab.tar.bz2 samba-9ff6634db923da17b0946141abf3ce7df61a0dab.zip |
Fixup the large_writex problem (a large_writex can send a full 64k of data,
we already have space for this we just need to understand the length correctly).
Jeremy.
(This used to be commit 19145bae720bbcc32dcab380c62a33d1f0e3eef0)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/oplock.c | 4 | ||||
-rw-r--r-- | source3/smbd/process.c | 6 | ||||
-rw-r--r-- | source3/smbd/reply.c | 5 |
3 files changed, 8 insertions, 7 deletions
diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c index e0b494017a..ac0836324b 100644 --- a/source3/smbd/oplock.c +++ b/source3/smbd/oplock.c @@ -676,13 +676,13 @@ static BOOL oplock_break(SMB_DEV_T dev, SMB_INO_T inode, struct timeval *tval, B messages crossing on the wire. */ - if((inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL) + if((inbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL) { DEBUG(0,("oplock_break: malloc fail for input buffer.\n")); return False; } - if((outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL) + if((outbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL) { DEBUG(0,("oplock_break: malloc fail for output buffer.\n")); free(inbuf); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index ac5454c48c..74c0cbc96f 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1184,8 +1184,8 @@ void smbd_process(void) time_t last_timeout_processing_time = time(NULL); unsigned int num_smbs = 0; - InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN); - OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN); + InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); + OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); if ((InBuffer == NULL) || (OutBuffer == NULL)) return; @@ -1208,7 +1208,7 @@ void smbd_process(void) lp_talloc_free(); main_loop_talloc_free(); - while (!receive_message_or_smb(InBuffer,BUFFER_SIZE,select_timeout)) { + while (!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout)) { if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time)) return; num_smbs = 0; /* Reset smb counter. */ diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index b43512329e..914f1801d2 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2665,10 +2665,11 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng { files_struct *fsp = file_fsp(inbuf,smb_vwv2); SMB_OFF_T startpos = IVAL(inbuf,smb_vwv3); - size_t numtowrite = SVAL(inbuf,smb_vwv10); + size_t numtowrite = SVAL(inbuf,smb_vwv10)|(((size_t)SVAL(inbuf,smb_vwv9))<<16); BOOL write_through = BITSETW(inbuf+smb_vwv7,0); ssize_t nwritten = -1; unsigned int smb_doff = SVAL(inbuf,smb_vwv11); + unsigned int smblen = smb_len(inbuf); char *data; START_PROFILE(SMBwriteX); @@ -2682,7 +2683,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng CHECK_WRITE(fsp); CHECK_ERROR(fsp); - if(smb_doff > smb_len(inbuf)) { + if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { END_PROFILE(SMBwriteX); return(ERROR(ERRDOS,ERRbadmem)); } |