From ed9e0d9a3acfa6ab05639da5c29e2edb07a9fb67 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 17 Jul 2007 23:01:02 +0000 Subject: r23939: Fixes for notify returns. Returned param value must fix inside max_param or return NT_STATUS_OK. Jeremy. (This used to be commit ab4af60d1ab4583fd27deb63b3f7baa1ede3473d) --- source3/smbd/notify.c | 36 +++++++++++++++++------------------- source3/smbd/nttrans.c | 5 +++-- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index 6ab4266c19..40dcecee26 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -21,15 +21,12 @@ #include "includes.h" -/* Max size we can send to client in a notify response. */ -extern int max_send; - struct notify_change_request { struct notify_change_request *prev, *next; struct files_struct *fsp; /* backpointer for cancel by mid */ char request_buf[smb_size]; uint32 filter; - uint32 current_bufsize; + uint32 max_param; struct notify_mid_map *mid_map; void *backend_data; }; @@ -61,8 +58,9 @@ static BOOL notify_change_record_identical(struct notify_change *c1, } static BOOL notify_marshall_changes(int num_changes, - struct notify_change *changes, - prs_struct *ps) + uint32 max_offset, + struct notify_change *changes, + prs_struct *ps) { int i; UNISTR uni_name; @@ -112,6 +110,11 @@ static BOOL notify_marshall_changes(int num_changes, prs_set_offset(ps, prs_offset(ps)-2); SAFE_FREE(uni_name.buffer); + + if (prs_offset(ps) > max_offset) { + /* Too much data for client. */ + return False; + } } return True; @@ -148,7 +151,7 @@ static void change_notify_reply_packet(const char *request_buf, "failed."); } -void change_notify_reply(const char *request_buf, +void change_notify_reply(const char *request_buf, uint32 max_param, struct notify_change_buf *notify_buf) { char *outbuf = NULL; @@ -160,16 +163,10 @@ void change_notify_reply(const char *request_buf, return; } - if (!prs_init(&ps, 0, NULL, False) - || !notify_marshall_changes(notify_buf->num_changes, - notify_buf->changes, &ps)) { - change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); - goto done; - } - - buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */; + prs_init(&ps, 0, NULL, False); - if (buflen > max_send) { + if (!notify_marshall_changes(notify_buf->num_changes, max_param, + notify_buf->changes, &ps)) { /* * We exceed what the client is willing to accept. Send * nothing. @@ -238,7 +235,7 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32 filter, return status; } -NTSTATUS change_notify_add_request(const char *inbuf, +NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, uint32 filter, BOOL recursive, struct files_struct *fsp) { @@ -255,11 +252,11 @@ NTSTATUS change_notify_add_request(const char *inbuf, map->req = request; memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); - request->current_bufsize = 0; + request->max_param = max_param; request->filter = filter; request->fsp = fsp; request->backend_data = NULL; - + DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); @@ -431,6 +428,7 @@ static void notify_fsp(files_struct *fsp, uint32 action, const char *name) */ change_notify_reply(fsp->notify->requests->request_buf, + fsp->notify->requests->max_param, fsp->notify); change_notify_remove_request(fsp->notify->requests); diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index f7df37b433..64b6d33eee 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2045,7 +2045,7 @@ static int call_nt_transact_notify_change(connection_struct *conn, char *inbuf, * here. */ - change_notify_reply(inbuf, fsp->notify); + change_notify_reply(inbuf, max_param_count, fsp->notify); /* * change_notify_reply() above has independently sent its @@ -2058,7 +2058,8 @@ static int call_nt_transact_notify_change(connection_struct *conn, char *inbuf, * No changes pending, queue the request */ - status = change_notify_add_request(inbuf, filter, recursive, fsp); + status = change_notify_add_request(inbuf, max_param_count, filter, + recursive, fsp); if (!NT_STATUS_IS_OK(status)) { return ERROR_NT(status); } -- cgit