4 files changed, 31 insertions, 8 deletions

diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5
index 869dbf9ffd..989a395c15 100644
--- a/docs/manpages/smb.conf.5
+++ b/docs/manpages/smb.conf.5
@@ -724,10 +724,11 @@ then the "load printers" option is easier.
 A synonym for this parameter is 'hosts allow'.
 
 This parameter is a comma delimited set of hosts which are permitted to access
-a services. If specified in the [global] section, matching hosts will be
-allowed access to any service that does not specifically exclude them from
-access. Specific services my have their own list, which override those
-specified in the [global] section.
+a service. 
+
+If specified in the [global] section then it will apply to all
+services, regardless of whether the individual service has a different
+setting. 
 
 You can specify the hosts by name or IP number. For example, you could
 restrict access to only the hosts on a Class C subnet with something like
diff --git a/source3/include/proto.h b/source3/include/proto.h
index ac81f8cb37..51433333c5 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -248,6 +248,7 @@ BOOL lp_map_archive(int );
 BOOL lp_locking(int );
 BOOL lp_strict_locking(int );
 BOOL lp_share_modes(int );
+BOOL lp_oplocks(int );
 BOOL lp_onlyuser(int );
 BOOL lp_manglednames(int );
 BOOL lp_widelinks(int );
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1a9771df22..fb656aa627 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -257,6 +257,7 @@ typedef struct
   BOOL bLocking;
   BOOL bStrictLocking;
   BOOL bShareModes;
+  BOOL bOpLocks;
   BOOL bOnlyUser;
   BOOL bMangledNames;
   BOOL bWidelinks;
@@ -338,6 +339,7 @@ static service sDefault =
   True,  /* bLocking */
   False,  /* bStrictLocking */
   True,  /* bShareModes */
+  True,  /* bOpLocks */
   False, /* bOnlyUser */
   True,  /* bMangledNames */
   True,  /* bWidelinks */
@@ -541,6 +543,7 @@ struct parm_struct
   {"locking",          P_BOOL,    P_LOCAL,  &sDefault.bLocking,         NULL},
   {"strict locking",   P_BOOL,    P_LOCAL,  &sDefault.bStrictLocking,   NULL},
   {"share modes",      P_BOOL,    P_LOCAL,  &sDefault.bShareModes,      NULL},
+  {"oplocks",          P_BOOL,    P_LOCAL,  &sDefault.bOpLocks,         NULL},
   {"only user",        P_BOOL,    P_LOCAL,  &sDefault.bOnlyUser,        NULL},
   {"wide links",       P_BOOL,    P_LOCAL,  &sDefault.bWidelinks,       NULL},
   {"follow symlinks",  P_BOOL,    P_LOCAL,  &sDefault.bSymlinks,        NULL},
@@ -935,6 +938,7 @@ FN_LOCAL_BOOL(lp_map_archive,bMap_archive)
 FN_LOCAL_BOOL(lp_locking,bLocking)
 FN_LOCAL_BOOL(lp_strict_locking,bStrictLocking)
 FN_LOCAL_BOOL(lp_share_modes,bShareModes)
+FN_LOCAL_BOOL(lp_oplocks,bOpLocks)
 FN_LOCAL_BOOL(lp_onlyuser,bOnlyUser)
 FN_LOCAL_BOOL(lp_manglednames,bMangledNames)
 FN_LOCAL_BOOL(lp_widelinks,bWidelinks)
@@ -1138,6 +1142,8 @@ BOOL lp_add_printer(char *pszPrintername, int iDefaultService)
   iSERVICE(i).bRead_only = False;
   /* No share modes on printer services. */
   iSERVICE(i).bShareModes = False;
+  /* No oplocks on printer services. */
+  iSERVICE(i).bOpLocks = False;
   /* Printer services must be printable. */
   iSERVICE(i).bPrint_ok = True;
   
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index b9bdbaa655..7b04d228c3 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1841,7 +1841,7 @@ dev = %x, inode = %x\n", old_shares[i].op_type, fname, dev, inode));
          be extended to level II oplocks (multiple reader
          oplocks). */
 
-      if(oplock_request && (num_share_modes == 0))
+      if(oplock_request && (num_share_modes == 0) && lp_oplocks(SNUM(cnum)))
       {
         fs_p->granted_oplock = True;
         global_oplocks_open++;
@@ -2412,12 +2412,27 @@ static BOOL open_sockets(BOOL is_daemon,int port)
 static void process_smb(char *inbuf, char *outbuf)
 {
   extern int Client;
-  static int trans_num = 0;
-
+  static int trans_num;
   int msg_type = CVAL(inbuf,0);
-  int32 len = smb_len(outbuf);
+  int32 len = smb_len(inbuf);
   int nread = len + 4;
 
+  if (trans_num == 0) {
+	  /* on the first packet, check the global hosts allow/ hosts
+	     deny parameters before doing any parsing of the packet
+	     passed to us by the client.  This prevents attacks on our
+	     parsing code from hosts not in the hosts allow list */
+	  if (!check_access(-1)) {
+		  /* send a negative session response "not listining on calling
+		   name" */
+		  static unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
+		  DEBUG(1,("%s Connection denied from %s\n",
+			   timestring(),client_addr()));
+		  send_smb(Client,buf);
+		  exit_server("connection denied");
+	  }
+  }
+
   DEBUG(6,("got message type 0x%x of len 0x%x\n",msg_type,len));
   DEBUG(3,("%s Transaction %d of length %d\n",timestring(),trans_num,nread));