summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-05-24 19:28:22 +0000
committerJeremy Allison <jra@samba.org>2001-05-24 19:28:22 +0000
commit9ff6634db923da17b0946141abf3ce7df61a0dab (patch)
tree229410ba018228a830faa7128b3dd5b0e22ba8b0 /source3/smbd
parent00cdd8cfa2cadb89c4502b061d9889998025ab9a (diff)
downloadsamba-9ff6634db923da17b0946141abf3ce7df61a0dab.tar.gz
samba-9ff6634db923da17b0946141abf3ce7df61a0dab.tar.bz2
samba-9ff6634db923da17b0946141abf3ce7df61a0dab.zip
Fixup the large_writex problem (a large_writex can send a full 64k of data,
we already have space for this we just need to understand the length correctly). Jeremy. (This used to be commit 19145bae720bbcc32dcab380c62a33d1f0e3eef0)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/oplock.c4
-rw-r--r--source3/smbd/process.c6
-rw-r--r--source3/smbd/reply.c5
3 files changed, 8 insertions, 7 deletions
diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index e0b494017a..ac0836324b 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -676,13 +676,13 @@ static BOOL oplock_break(SMB_DEV_T dev, SMB_INO_T inode, struct timeval *tval, B
messages crossing on the wire.
*/
- if((inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
+ if((inbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
{
DEBUG(0,("oplock_break: malloc fail for input buffer.\n"));
return False;
}
- if((outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
+ if((outbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
{
DEBUG(0,("oplock_break: malloc fail for output buffer.\n"));
free(inbuf);
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ac5454c48c..74c0cbc96f 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1184,8 +1184,8 @@ void smbd_process(void)
time_t last_timeout_processing_time = time(NULL);
unsigned int num_smbs = 0;
- InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
- OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+ InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
+ OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
if ((InBuffer == NULL) || (OutBuffer == NULL))
return;
@@ -1208,7 +1208,7 @@ void smbd_process(void)
lp_talloc_free();
main_loop_talloc_free();
- while (!receive_message_or_smb(InBuffer,BUFFER_SIZE,select_timeout)) {
+ while (!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout)) {
if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time))
return;
num_smbs = 0; /* Reset smb counter. */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b43512329e..914f1801d2 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2665,10 +2665,11 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
{
files_struct *fsp = file_fsp(inbuf,smb_vwv2);
SMB_OFF_T startpos = IVAL(inbuf,smb_vwv3);
- size_t numtowrite = SVAL(inbuf,smb_vwv10);
+ size_t numtowrite = SVAL(inbuf,smb_vwv10)|(((size_t)SVAL(inbuf,smb_vwv9))<<16);
BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
ssize_t nwritten = -1;
unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
+ unsigned int smblen = smb_len(inbuf);
char *data;
START_PROFILE(SMBwriteX);
@@ -2682,7 +2683,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
CHECK_WRITE(fsp);
CHECK_ERROR(fsp);
- if(smb_doff > smb_len(inbuf)) {
+ if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) {
END_PROFILE(SMBwriteX);
return(ERROR(ERRDOS,ERRbadmem));
}