summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-03-30 20:53:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:56:24 -0500
commitf1977014f4f239e174b97cba7d4810c01a4581d1 (patch)
tree1dde3ff1f90d203950d0bcd572ae25ee75cef1d3 /source3/smbd
parent934d41d23956c663406ff9d68e5a8ba9d81b5096 (diff)
downloadsamba-f1977014f4f239e174b97cba7d4810c01a4581d1.tar.gz
samba-f1977014f4f239e174b97cba7d4810c01a4581d1.tar.bz2
samba-f1977014f4f239e174b97cba7d4810c01a4581d1.zip
r6138: Refactor length reading out of EA code so we can read length
external to buffer. Needed to add EA code to create calls. Jeremy. (This used to be commit 7c4262d6ba48695c2622ea2eba8da6ac889ce543)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/trans2.c37
1 files changed, 22 insertions, 15 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 163cfbd5e3..7071676212 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -387,7 +387,7 @@ static NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, const char *f
static struct ea_list *read_ea_name_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
{
struct ea_list *ea_list_head = NULL;
- size_t offset = 4;
+ size_t offset = 0;
while (offset + 2 < data_size) {
struct ea_list *tmp;
@@ -426,17 +426,12 @@ static struct ea_list *read_ea_name_list(TALLOC_CTX *ctx, const char *pdata, siz
static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
{
struct ea_list *ea_list_head = NULL;
- size_t offset = 4;
+ size_t offset = 0;
if (data_size < 10) {
return NULL;
}
- if (IVAL(pdata,0) > data_size) {
- DEBUG(10,("read_ea_list: bad total data size (%u) > %u\n", IVAL(pdata,0), (unsigned int)data_size));
- return NULL;
- }
-
/* Each entry must be at least 6 bytes in length. */
while (offset + 6 <= data_size) {
struct ea_list *tmp;
@@ -1589,11 +1584,11 @@ close_if_end = %d requires_resume_key = %d level = 0x%x, max_data_bytes = %d\n",
if (info_level == SMB_FIND_EA_LIST) {
uint32 ea_size;
-
+
if (total_data < 4) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
-
+
ea_size = IVAL(pdata,0);
if (ea_size != total_data) {
DEBUG(4,("call_trans2findfirst: Rejecting EA request with incorrect \
@@ -1610,7 +1605,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
}
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -1863,9 +1858,9 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
if ((ea_ctx = talloc_init("findnext_ea_list")) == NULL) {
return ERROR_NT(NT_STATUS_NO_MEMORY);
}
-
+
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -2772,7 +2767,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
}
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -3644,11 +3639,23 @@ static int call_trans2setfilepathinfo(connection_struct *conn, char *inbuf, char
case SMB_INFO_SET_EA:
{
struct ea_list *ea_list = NULL;
- TALLOC_CTX *ctx = talloc_init("SMB_INFO_SET_EA");
+ TALLOC_CTX *ctx = NULL;
+
+ if (total_data < 10) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (IVAL(pdata,0) > total_data) {
+ DEBUG(10,("call_trans2setfilepathinfo: bad total data size (%u) > %u\n",
+ IVAL(pdata,0), (unsigned int)total_data));
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ ctx = talloc_init("SMB_INFO_SET_EA");
if (!ctx) {
return ERROR_NT(NT_STATUS_NO_MEMORY);
}
- ea_list = read_ea_list(ctx, pdata, total_data);
+ ea_list = read_ea_list(ctx, pdata + 4, total_data - 4);
if (!ea_list) {
talloc_destroy(ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);