From acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 22:01:11 +0000 Subject: r3493: fixed a bug in readx reply where the client specifies an invalid high part of the maxcnt. This caused an allocation failure and server exit. Note: we need to go back over all the places in the core smb_server that can cause allocation failures based on user input and fix them to instead produce a SMB error. Thanks to Susan for finding this bug. (This used to be commit 4aed1b7921a3bfef460f8602467ac0dca9561032) --- source4/smb_server/reply.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source4/smb_server/reply.c b/source4/smb_server/reply.c index eb75ab08c7..9c7d027f4a 100644 --- a/source4/smb_server/reply.c +++ b/source4/smb_server/reply.c @@ -892,8 +892,14 @@ void reply_read_and_X(struct smbsrv_request *req) io->readx.in.offset = IVAL(req->in.vwv, VWV(3)); io->readx.in.maxcnt = SVAL(req->in.vwv, VWV(5)); io->readx.in.mincnt = SVAL(req->in.vwv, VWV(6)); - io->readx.in.maxcnt |= IVAL(req->in.vwv, VWV(7)) << 16; io->readx.in.remaining = SVAL(req->in.vwv, VWV(9)); + + if (req->smb_conn->negotiate.client_caps & CAP_LARGE_READX) { + uint32_t high_part = IVAL(req->in.vwv, VWV(7)); + if (high_part == 1) { + io->readx.in.maxcnt |= high_part << 16; + } + } /* the 64 bit variant */ if (req->in.wct == 12) { -- cgit