diff options
author | Jeremy Allison <jra@samba.org> | 2010-05-13 15:59:09 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-05-13 15:59:09 -0700 |
commit | 056f24ce24ab395cb6fff15cb068c8d8b1affef9 (patch) | |
tree | 3020747e6654c811bf69de63f2add4d9e7caa705 /source3 | |
parent | 49c8c130a0d08be7c869b9a63b5a37488003eac2 (diff) | |
download | samba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.tar.gz samba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.tar.bz2 samba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.zip |
Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
The end_data argument to smbd_dirptr_lanman2_entry() must include
the safety margin, as internally it's actually used to allow detection
of string name pushes that were truncated. Ensure space_remaining can
never go negative due to padding.
Jeremy.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/smb2_find.c | 6 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 66be7562e8..6690adcb93 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx, state->out_output_buffer.length = 0; pdata = (char *)state->out_output_buffer.data; base_data = pdata; - end_data = pdata + in_output_buffer_length; + /* + * end_data must include the safety margin as it's what is + * used to determine if pushed strings have been truncated. + */ + end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1; last_entry_off = 0; off = 0; num = 0; diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 5d51a7fb90..3fa737f4b7 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx, off = (int)PTR_DIFF(pdata, base_data); pad = (off + (align-1)) & ~(align-1); pad -= off; + + if (pad && pad > space_remaining) { + *out_of_space = true; + DEBUG(9,("smbd_marshall_dir_entry: out of space " + "for padding (wanted %u, had %d)\n", + (unsigned int)pad, + space_remaining )); + return false; /* Not finished - just out of space */ + } + off += pad; /* initialize padding to 0 */ if (pad) { |