From 7633995fa08149fae9b1e281e1b5e2500b0a5572 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 9 Jun 2009 16:34:52 +0200 Subject: s4:smb2srv: fix handling of multiple compounded requests metze --- source4/smb_server/smb2/receive.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'source4/smb_server/smb2') diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index 4d513fd562..5831e07ad8 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -149,18 +149,22 @@ static void smb2srv_chain_reply(struct smb2srv_request *p_req) uint32_t protocol_version; uint16_t buffer_code; uint32_t dynamic_size; + uint32_t flags; + uint32_t last_hdr_offset; + + last_hdr_offset = p_req->in.hdr - p_req->in.buffer; chain_offset = p_req->chain_offset; p_req->chain_offset = 0; - if (p_req->in.size < (NBT_HDR_SIZE + chain_offset + SMB2_MIN_SIZE_NO_BODY)) { - DEBUG(2,("Invalid SMB2 chained packet at offset 0x%X\n", - chain_offset)); + if (p_req->in.size < (last_hdr_offset + chain_offset + SMB2_MIN_SIZE_NO_BODY)) { + DEBUG(2,("Invalid SMB2 chained packet at offset 0x%X from last hdr 0x%X\n", + chain_offset, last_hdr_offset)); smbsrv_terminate_connection(p_req->smb_conn, "Invalid SMB2 chained packet"); return; } - protocol_version = IVAL(p_req->in.buffer, NBT_HDR_SIZE + chain_offset); + protocol_version = IVAL(p_req->in.buffer, last_hdr_offset + chain_offset); if (protocol_version != SMB2_MAGIC) { DEBUG(2,("Invalid SMB chained packet: protocol prefix: 0x%08X\n", protocol_version)); @@ -179,9 +183,9 @@ static void smb2srv_chain_reply(struct smb2srv_request *p_req) req->request_time = p_req->request_time; req->in.allocated = req->in.size; - req->in.hdr = req->in.buffer+ NBT_HDR_SIZE + chain_offset; + req->in.hdr = req->in.buffer+ last_hdr_offset + chain_offset; req->in.body = req->in.hdr + SMB2_HDR_BODY; - req->in.body_size = req->in.size - (NBT_HDR_SIZE+ chain_offset + SMB2_HDR_BODY); + req->in.body_size = req->in.size - (last_hdr_offset+ chain_offset + SMB2_HDR_BODY); req->in.dynamic = NULL; req->seqnum = BVAL(req->in.hdr, SMB2_HDR_MESSAGE_ID); @@ -213,7 +217,8 @@ static void smb2srv_chain_reply(struct smb2srv_request *p_req) smb2srv_setup_bufinfo(req); - if (p_req->chained_file_handle) { + flags = IVAL(req->in.hdr, SMB2_HDR_FLAGS); + if ((flags & SMB2_HDR_FLAG_CHAINED) && p_req->chained_file_handle) { memcpy(req->_chained_file_handle, p_req->_chained_file_handle, sizeof(req->_chained_file_handle)); -- cgit