diff options
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/connection.c | 6 | ||||
| -rw-r--r-- | source3/smbd/process.c | 12 | ||||
| -rw-r--r-- | source3/smbd/srvstr.c | 44 |
3 files changed, 57 insertions, 5 deletions
diff --git a/source3/smbd/connection.c b/source3/smbd/connection.c index a7636e889e..17b5be8a7b 100644 --- a/source3/smbd/connection.c +++ b/source3/smbd/connection.c @@ -171,14 +171,14 @@ BOOL claim_connection(connection_struct *conn, const char *name,int max_connecti if (conn) { crec.uid = conn->uid; crec.gid = conn->gid; - StrnCpy(crec.name, + safe_strcpy(crec.name, lp_servicename(SNUM(conn)),sizeof(crec.name)-1); } crec.start = time(NULL); crec.bcast_msg_flags = msg_flags; - StrnCpy(crec.machine,get_remote_machine_name(),sizeof(crec.machine)-1); - StrnCpy(crec.addr,conn?conn->client_address:client_addr(),sizeof(crec.addr)-1); + safe_strcpy(crec.machine,get_remote_machine_name(),sizeof(crec.machine)-1); + safe_strcpy(crec.addr,conn?conn->client_address:client_addr(),sizeof(crec.addr)-1); dbuf.dptr = (char *)&crec; dbuf.dsize = sizeof(crec); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 57bc236eef..16ef30c46c 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1249,12 +1249,16 @@ void smbd_process(void) extern int smb_echo_count; time_t last_timeout_processing_time = time(NULL); unsigned int num_smbs = 0; + const size_t total_buffer_size = BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN; - InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); - OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); + InBuffer = (char *)malloc(total_buffer_size); + OutBuffer = (char *)malloc(total_buffer_size); if ((InBuffer == NULL) || (OutBuffer == NULL)) return; + clobber_region(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, InBuffer, total_buffer_size); + clobber_region(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, OutBuffer, total_buffer_size); + max_recv = MIN(lp_maxxmit(),BUFFER_SIZE); while (True) { @@ -1278,6 +1282,8 @@ void smbd_process(void) num_smbs = 0; /* Reset smb counter. */ } + clobber_region(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, InBuffer, total_buffer_size); + while (!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout)) { if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time)) return; @@ -1295,6 +1301,8 @@ void smbd_process(void) */ num_echos = smb_echo_count; + clobber_region(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, OutBuffer, total_buffer_size); + process_smb(InBuffer, OutBuffer); if (smb_echo_count != num_echos) { diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c new file mode 100644 index 0000000000..409fd30a67 --- /dev/null +++ b/source3/smbd/srvstr.c @@ -0,0 +1,44 @@ +/* + Unix SMB/CIFS implementation. + server specific string routines + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +extern int max_send; + +/* Make sure we can't write a string past the end of the buffer */ + +size_t srvstr_push_fn(const char *function, unsigned int line, + const char *base_ptr, void *dest, + const char *src, int dest_len, int flags) +{ + size_t buf_used = PTR_DIFF(dest, base_ptr); + if (dest_len == -1) { + if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) { +#if 0 + DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n")); +#endif + return push_string_fn(function, line, base_ptr, dest, src, -1, flags); + } + return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags); + } + + /* 'normal' push into size-specified buffer */ + return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags); +} |