summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-11-07 21:47:00 -0800
committerJeremy Allison <jra@samba.org>2007-11-07 21:47:00 -0800
commitae74aa9993863be8f75f203201b338e98824ce06 (patch)
tree206294f8511781b5729d7c05245b9eb216b98a01 /source3/smbd
parent30a48a5c6c22484c6c06830e404242c1caa47d88 (diff)
downloadsamba-ae74aa9993863be8f75f203201b338e98824ce06.tar.gz
samba-ae74aa9993863be8f75f203201b338e98824ce06.tar.bz2
samba-ae74aa9993863be8f75f203201b338e98824ce06.zip
Constrain "min receivefile size" to max of BUFFER_SIZE
(128k). Add debug error messages so we can see why writeX large is denied. Ensure we don't allow recvfile writes on IPC$. Jeremy. (This used to be commit 6bf053a6a17749a3bc73c8cc5fd490aa5f93b763)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/reply.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1b36fb1e44..45081808e1 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3856,16 +3856,24 @@ bool is_valid_writeX_buffer(const char *inbuf)
unsigned int doff = 0;
size_t len = smb_len_large(inbuf);
- if (CVAL(inbuf,smb_com) != SMBwriteX ||
- CVAL(inbuf,smb_vwv0) != 0xFF ||
+ if (CVAL(inbuf,smb_com) != SMBwriteX) {
+ return false;
+ }
+
+ if (CVAL(inbuf,smb_vwv0) != 0xFF ||
CVAL(inbuf,smb_wct) != 14) {
+ DEBUG(10,("is_valid_writeX_buffer: chained or "
+ "invalid word length.\n"));
return false;
}
+
conn = conn_find(SVAL(inbuf, smb_tid));
if (conn == NULL) {
+ DEBUG(10,("is_valid_writeX_buffer: bad tid\n"));
return false;
}
if (IS_IPC(conn)) {
+ DEBUG(10,("is_valid_writeX_buffer: IPC$ tid\n"));
return false;
}
doff = SVAL(inbuf,smb_vwv11);
@@ -3877,12 +3885,16 @@ bool is_valid_writeX_buffer(const char *inbuf)
}
if (numtowrite == 0) {
+ DEBUG(10,("is_valid_writeX_buffer: zero write\n"));
return false;
}
/* Ensure the sizes match up. */
if (doff < STANDARD_WRITE_AND_X_HEADER_SIZE) {
/* no pad byte...old smbclient :-( */
+ DEBUG(10,("is_valid_writeX_buffer: small doff %u (min %u)\n",
+ (unsigned int)doff,
+ (unsigned int)STANDARD_WRITE_AND_X_HEADER_SIZE));
return false;
}
@@ -3939,6 +3951,12 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
}
if (req->unread_bytes) {
+ /* Can't do a recvfile write on IPC$ */
+ if (IS_IPC(conn)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteX);
+ return;
+ }
if (numtowrite != req->unread_bytes) {
reply_doserror(req, ERRDOS, ERRbadmem);
END_PROFILE(SMBwriteX);