diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/smb.h | 1 | ||||
-rw-r--r-- | source3/smbd/process.c | 5 | ||||
-rw-r--r-- | source3/smbd/reply.c | 22 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 3 |
4 files changed, 12 insertions, 19 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h index fdbad2a22a..d682052c63 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -631,6 +631,7 @@ struct smb_request { uint16 vuid; uint16 tid; uint8 wct; + uint16_t buflen; const uint8 *inbuf; uint8 *outbuf; size_t unread_bytes; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 4d415b2d27..8e1add3fb1 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -375,6 +375,7 @@ void init_smb_request(struct smb_request *req, req->vuid = SVAL(inbuf, smb_uid); req->tid = SVAL(inbuf, smb_tid); req->wct = CVAL(inbuf, smb_wct); + req->buflen = smb_buflen(inbuf); req->unread_bytes = unread_bytes; req->encrypted = encrypted; req->conn = conn_find(req->tid); @@ -388,10 +389,10 @@ void init_smb_request(struct smb_request *req, exit_server_cleanly("Invalid SMB request"); } /* Ensure bcc is correct. */ - if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + req_size) { + if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) { DEBUG(0,("init_smb_request: invalid bcc number %u " "(wct = %u, size %u)\n", - (unsigned int)smb_buflen(inbuf), + (unsigned int)req->buflen, (unsigned int)req->wct, (unsigned int)req_size)); exit_server_cleanly("Invalid SMB request"); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 25480c6e3b..2d7e557980 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -523,7 +523,7 @@ void reply_tcon(struct smb_request *req) START_PROFILE(SMBtcon); - if (smb_buflen(req->inbuf) < 4) { + if (req->buflen < 4) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBtcon); return; @@ -614,7 +614,7 @@ void reply_tcon_and_X(struct smb_request *req) conn = NULL; } - if ((passlen > MAX_PASS_LEN) || (passlen >= smb_buflen(req->inbuf))) { + if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { reply_doserror(req, ERRDOS, ERRbuftoosmall); END_PROFILE(SMBtconX); return; @@ -4562,7 +4562,6 @@ void reply_echo(struct smb_request *req) connection_struct *conn = req->conn; int smb_reverb; int seq_num; - unsigned int data_len = smb_buflen(req->inbuf); START_PROFILE(SMBecho); @@ -4572,20 +4571,13 @@ void reply_echo(struct smb_request *req) return; } - if (data_len > BUFFER_SIZE) { - DEBUG(0,("reply_echo: data_len too large.\n")); - reply_nterror(req, NT_STATUS_INSUFFICIENT_RESOURCES); - END_PROFILE(SMBecho); - return; - } - smb_reverb = SVAL(req->inbuf,smb_vwv0); - reply_outbuf(req, 1, data_len); + reply_outbuf(req, 1, req->buflen); /* copy any incoming data back out */ - if (data_len > 0) { - memcpy(smb_buf(req->outbuf),smb_buf(req->inbuf),data_len); + if (req->buflen > 0) { + memcpy(smb_buf(req->outbuf), smb_buf(req->inbuf), req->buflen); } if (smb_reverb > 100) { @@ -4835,7 +4827,7 @@ void reply_printwrite(struct smb_request *req) numtowrite = SVAL(smb_buf(req->inbuf),1); - if (smb_buflen(req->inbuf) < numtowrite + 3) { + if (req->buflen < numtowrite + 3) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBsplwr); return; @@ -6746,7 +6738,7 @@ void reply_lockingX(struct smb_request *req) release_level_2_oplocks_on_change(fsp); - if (smb_buflen(req->inbuf) < + if (req->buflen < (num_ulocks + num_locks) * (large_file_format ? 20 : 10)) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBlockingX); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index b258386121..02931e49f4 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -1446,8 +1446,7 @@ void reply_sesssetup_and_X(struct smb_request *req) * don't get client caps. */ remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); - if ((passlen1 > MAX_PASS_LEN) - || (passlen1 > smb_buflen(req->inbuf))) { + if ((passlen1 > MAX_PASS_LEN) || (passlen1 > req->buflen)) { reply_nterror(req, nt_status_squash( NT_STATUS_INVALID_PARAMETER)); END_PROFILE(SMBsesssetupX); |