From c94b2898cd5d1174181add198a462ab232f5aba6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 Nov 2007 21:51:45 -0700 Subject: Ensure we detect a large writeX when using recvfile. More changes needed to make the UNIX_LARGE_WRITEX_CAP writes work (I'll add these tomorrow). Jeremy. (This used to be commit 1c71546b6152d2930b98f766311bbd161ee0ee4e) --- source3/smbd/reply.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/smbd/reply.c') diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index d2aa6c6929..d4f3f1f255 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3926,7 +3926,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) numtowrite = SVAL(req->inbuf,smb_vwv10); smb_doff = SVAL(req->inbuf,smb_vwv11); smblen = smb_len(req->inbuf); - large_writeX = ((req->wct == 14) && (smblen > 0xFFFF)); + large_writeX = (req->wct == 14 && + (smblen > 0xFFFF || req->unread_bytes > 0xFFFF)); /* Deal with possible LARGE_WRITEX */ if (large_writeX) { -- cgit From bece9609cd633d69c2c8dc72fcb6c26c4f11f9f2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 Nov 2007 22:24:39 -0700 Subject: Be careful and take care of the correct lengths in large writeX calls. Jeremy. (This used to be commit 2d3ff9c502105f92720131355b41e48be8d656c2) --- source3/smbd/reply.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'source3/smbd/reply.c') diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index d4f3f1f255..c83066d41e 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3912,7 +3912,6 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) unsigned int smb_doff; unsigned int smblen; char *data; - bool large_writeX; NTSTATUS status; START_PROFILE(SMBwriteX); @@ -3926,12 +3925,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) numtowrite = SVAL(req->inbuf,smb_vwv10); smb_doff = SVAL(req->inbuf,smb_vwv11); smblen = smb_len(req->inbuf); - large_writeX = (req->wct == 14 && - (smblen > 0xFFFF || req->unread_bytes > 0xFFFF)); - /* Deal with possible LARGE_WRITEX */ - if (large_writeX) { - numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16); + if (req->unread_bytes > 0xFFFF || + (smblen > smb_doff + 4 && + smblen - smb_doff + 4 > 0xFFFF)) { + numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16); } if (req->unread_bytes) { @@ -3941,7 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } } else { - if (smb_doff > smblen || smb_doff + numtowrite > smblen) { + if (smb_doff + 4 > smblen || smb_doff + 4 + numtowrite < numtowrite || + smb_doff + 4 + numtowrite > smblen) { reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; @@ -4032,8 +4031,7 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) reply_outbuf(req, 6, 0); SSVAL(req->outbuf,smb_vwv2,nwritten); - if (large_writeX) - SSVAL(req->outbuf,smb_vwv4,(nwritten>>16)&1); + SSVAL(req->outbuf,smb_vwv4,nwritten>>16); if (nwritten < (ssize_t)numtowrite) { SCVAL(req->outbuf,smb_rcls,ERRHRD); -- cgit From 10500184bf7aac4c1036a807ad4f57d2016d7bd0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 Nov 2007 22:42:21 -0700 Subject: Ensure we can't accidently do a pipe write with unread bytes in the socket buffer. Jeremy (This used to be commit 84d22f7747126608b9460f9591bb5967d871b82d) --- source3/smbd/reply.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/smbd/reply.c') diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index c83066d41e..de0e852e2a 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3949,6 +3949,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { + if (req->unread_bytes) { + reply_doserror(req, ERRDOS, ERRbadmem); + END_PROFILE(SMBwriteX); + return; + } reply_pipe_write_and_X(req); END_PROFILE(SMBwriteX); return; -- cgit From 414ab2ce46dd62d0119f03eca93783bc489af896 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Nov 2007 10:35:10 -0700 Subject: Argggh. smblen doesn't include the +4, so my smb_doff calculations shouldn't either :-). Jeremy. (This used to be commit c3de44b6b063e126095b30536fdcb643c70e395e) --- source3/smbd/reply.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/smbd/reply.c') diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index de0e852e2a..84c1892560 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3927,8 +3927,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) smblen = smb_len(req->inbuf); if (req->unread_bytes > 0xFFFF || - (smblen > smb_doff + 4 && - smblen - smb_doff + 4 > 0xFFFF)) { + (smblen > smb_doff && + smblen - smb_doff > 0xFFFF)) { numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16); } @@ -3939,8 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } } else { - if (smb_doff + 4 > smblen || smb_doff + 4 + numtowrite < numtowrite || - smb_doff + 4 + numtowrite > smblen) { + if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || + smb_doff + numtowrite > smblen) { reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; -- cgit