diff options
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/pipes.c | 45 | ||||
-rw-r--r-- | source3/smbd/reply.c | 47 |
2 files changed, 49 insertions, 43 deletions
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index 24e0f47001..cf12b4be4d 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -183,26 +183,29 @@ int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) wrinkles to handle pipes. ****************************************************************************/ -int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) +void reply_pipe_write_and_X(struct smb_request *req) { - smb_np_struct *p = get_rpc_pipe_p(SVAL(inbuf,smb_vwv2)); - uint16 vuid = SVAL(inbuf,smb_uid); - size_t numtowrite = SVAL(inbuf,smb_vwv10); + smb_np_struct *p = get_rpc_pipe_p(SVAL(req->inbuf,smb_vwv2)); + size_t numtowrite = SVAL(req->inbuf,smb_vwv10); int nwritten = -1; - int smb_doff = SVAL(inbuf, smb_vwv11); - BOOL pipe_start_message_raw = ((SVAL(inbuf, smb_vwv7) & (PIPE_START_MESSAGE|PIPE_RAW_MODE)) == - (PIPE_START_MESSAGE|PIPE_RAW_MODE)); + int smb_doff = SVAL(req->inbuf, smb_vwv11); + BOOL pipe_start_message_raw = + ((SVAL(req->inbuf, smb_vwv7) + & (PIPE_START_MESSAGE|PIPE_RAW_MODE)) + == (PIPE_START_MESSAGE|PIPE_RAW_MODE)); char *data; if (!p) { - return(ERROR_DOS(ERRDOS,ERRbadfid)); + reply_doserror(req, ERRDOS, ERRbadfid); + return; } - if (p->vuid != vuid) { - return ERROR_NT(NT_STATUS_INVALID_HANDLE); + if (p->vuid != req->vuid) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; } - data = smb_base(inbuf) + smb_doff; + data = smb_base(req->inbuf) + smb_doff; if (numtowrite == 0) { nwritten = 0; @@ -214,9 +217,12 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) * them (we don't trust the client). JRA. */ if(numtowrite < 2) { - DEBUG(0,("reply_pipe_write_and_X: start of message set and not enough data sent.(%u)\n", - (unsigned int)numtowrite )); - return (UNIXERROR(ERRDOS,ERRnoaccess)); + DEBUG(0,("reply_pipe_write_and_X: start of " + "message set and not enough data " + "sent.(%u)\n", + (unsigned int)numtowrite )); + reply_unixerror(req, ERRDOS, ERRnoaccess); + return; } data += 2; @@ -226,17 +232,18 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) } if ((nwritten == 0 && numtowrite != 0) || (nwritten < 0)) { - return (UNIXERROR(ERRDOS,ERRnoaccess)); + reply_unixerror(req, ERRDOS,ERRnoaccess); + return; } - - set_message(inbuf,outbuf,6,0,True); + + reply_outbuf(req, 6, 0); nwritten = (pipe_start_message_raw ? nwritten + 2 : nwritten); - SSVAL(outbuf,smb_vwv2,nwritten); + SSVAL(req->outbuf,smb_vwv2,nwritten); DEBUG(3,("writeX-IPC pnum=%04x nwritten=%d\n", p->pnum, nwritten)); - return chain_reply(inbuf,&outbuf,length,bufsize); + chain_reply_new(req); } /**************************************************************************** diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 30b90a6459..e4fbc839ff 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3289,35 +3289,39 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) START_PROFILE(SMBwriteX); - if (!reply_prep_legacy(req, &inbuf, &outbuf, &length, &bufsize)) { - reply_nterror(req, NT_STATUS_NO_MEMORY); + if ((req->wct != 12) && (req->wct != 14)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBwriteX); return; } - if ((CVAL(inbuf, smb_wct) != 12) && (CVAL(inbuf, smb_wct) != 14)) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + numtowrite = SVAL(req->inbuf,smb_vwv10); + smb_doff = SVAL(req->inbuf,smb_vwv11); + smblen = smb_len(req->inbuf); + large_writeX = ((req->wct == 14) && (smblen > 0xFFFF)); + + /* Deal with possible LARGE_WRITEX */ + if (large_writeX) { + numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16); + } + + if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { + reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; } - fsp = file_fsp(SVAL(inbuf,smb_vwv2)); - startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); - numtowrite = SVAL(inbuf,smb_vwv10); - write_through = BITSETW(inbuf+smb_vwv7,0); - smb_doff = SVAL(inbuf,smb_vwv11); - smblen = smb_len(inbuf); - large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF)); - /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { - reply_post_legacy( - req, - reply_pipe_write_and_X(inbuf,outbuf,length,bufsize)); + reply_pipe_write_and_X(req); END_PROFILE(SMBwriteX); return; } + fsp = file_fsp(SVAL(req->inbuf,smb_vwv2)); + startpos = IVAL_TO_SMB_OFF_T(req->inbuf,smb_vwv3); + write_through = BITSETW(req->inbuf+smb_vwv7,0); + if (!check_fsp(conn, req, fsp, ¤t_user)) { END_PROFILE(SMBwriteX); return; @@ -3329,19 +3333,14 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } - set_message(inbuf, outbuf, 6, 0, True); - - /* Deal with possible LARGE_WRITEX */ - if (large_writeX) { - numtowrite |= ((((size_t)SVAL(inbuf,smb_vwv9)) & 1 )<<16); - } - - if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { - reply_doserror(req, ERRDOS, ERRbadmem); + if (!reply_prep_legacy(req, &inbuf, &outbuf, &length, &bufsize)) { + reply_nterror(req, NT_STATUS_NO_MEMORY); END_PROFILE(SMBwriteX); return; } + set_message(inbuf, outbuf, 6, 0, True); + data = smb_base(inbuf) + smb_doff; if(CVAL(inbuf,smb_wct) == 14) { |