diff options
author | Jeremy Allison <jra@samba.org> | 2011-08-30 17:37:19 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2011-08-31 21:18:11 +0200 |
commit | 786fe9fab223723e4d2340f285592b2a44945d73 (patch) | |
tree | 018330b8cb347076f7d4c9dea7630c852f8a02d2 /source3 | |
parent | 726b4685aa25b0b3b4470bfec5d514fb2db7a95e (diff) | |
download | samba-786fe9fab223723e4d2340f285592b2a44945d73.tar.gz samba-786fe9fab223723e4d2340f285592b2a44945d73.tar.bz2 samba-786fe9fab223723e4d2340f285592b2a44945d73.zip |
Fix bug 8429 - Compound SMB2 requests on an IPC connection can corrupt the reply stream.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Aug 31 21:18:11 CEST 2011 on sn-devel-104
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/smb2_server.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index d29b055b29..fa4801c377 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -904,7 +904,7 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, /* Don't return an intermediate packet on a pipe read/write. */ if (req->tcon && req->tcon->compat_conn && IS_IPC(req->tcon->compat_conn)) { - return NT_STATUS_OK; + goto ipc_out; } reqhdr = (uint8_t *)req->out.vector[i].iov_base; @@ -993,6 +993,8 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, /* Note we're going async with this request. */ req->async = true; + ipc_out: + /* * Now manipulate req so that the outstanding async request * is the only one left in the struct smbd_smb2_request. @@ -1040,19 +1042,22 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, smb2_setup_nbt_length(req->out.vector, req->out.vector_count); - /* Ensure our final reply matches the interim one. */ - reqhdr = (uint8_t *)req->out.vector[1].iov_base; - SIVAL(reqhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC); - SBVAL(reqhdr, SMB2_HDR_PID, async_id); + if (req->async) { + /* Ensure our final reply matches the interim one. */ + reqhdr = (uint8_t *)req->out.vector[1].iov_base; + SIVAL(reqhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC); + SBVAL(reqhdr, SMB2_HDR_PID, async_id); - { - const uint8_t *inhdr = - (const uint8_t *)req->in.vector[1].iov_base; - DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu " - "going async\n", - smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)), - (unsigned long long)async_id )); + { + const uint8_t *inhdr = + (const uint8_t *)req->in.vector[1].iov_base; + DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu " + "going async\n", + smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)), + (unsigned long long)async_id )); + } } + return NT_STATUS_OK; } |