The Samba-Bugzilla – Attachment 2827 Details for
Bug 4796
Windows XP client giving OutOfResources NetBT exceptions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Correct patch.
look (text/plain), 3.86 KB, created by
Jeremy Allison
on 2007-07-17 19:00:12 UTC
(
hide
)
Description:
Correct patch.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2007-07-17 19:00:12 UTC
Size:
3.86 KB
patch
obsolete
>diff -u -r source-orig/smbd/notify.c source/smbd/notify.c >--- source-orig/smbd/notify.c 2007-06-19 10:11:34.000000000 -0700 >+++ source/smbd/notify.c 2007-07-17 16:57:37.625834000 -0700 >@@ -27,7 +27,7 @@ > struct files_struct *fsp; /* backpointer for cancel by mid */ > char request_buf[smb_size]; > uint32 filter; >- uint32 current_bufsize; >+ uint32 max_param; > struct notify_mid_map *mid_map; > void *backend_data; > }; >@@ -47,19 +47,40 @@ > uint16 mid; > }; > >+static BOOL notify_change_record_identical(struct notify_change *c1, >+ struct notify_change *c2) >+{ >+ /* Note this is deliberately case sensitive. */ >+ if (c1->action == c2->action && >+ strcmp(c1->name, c2->name) == 0) { >+ return True; >+ } >+ return False; >+} >+ > static BOOL notify_marshall_changes(int num_changes, >- struct notify_change *changes, >- prs_struct *ps) >+ uint32 max_offset, >+ struct notify_change *changes, >+ prs_struct *ps) > { > int i; > UNISTR uni_name; > > for (i=0; i<num_changes; i++) { >- struct notify_change *c = &changes[i]; >+ struct notify_change *c; > size_t namelen; > uint32 u32_tmp; /* Temp arg to prs_uint32 to avoid > * signed/unsigned issues */ > >+ /* Coalesce any identical records. */ >+ while (i+1 < num_changes && >+ notify_change_record_identical(&changes[i], >+ &changes[i+1])) { >+ i++; >+ } >+ >+ c = &changes[i]; >+ > namelen = convert_string_allocate( > NULL, CH_UNIX, CH_UTF16LE, c->name, strlen(c->name)+1, > &uni_name.buffer, True); >@@ -90,6 +111,11 @@ > prs_set_offset(ps, prs_offset(ps)-2); > > SAFE_FREE(uni_name.buffer); >+ >+ if (prs_offset(ps) > max_offset) { >+ /* Too much data for client. */ >+ return False; >+ } > } > > return True; >@@ -125,7 +151,7 @@ > "failed."); > } > >-void change_notify_reply(const char *request_buf, >+void change_notify_reply(const char *request_buf, uint32 max_param, > struct notify_change_buf *notify_buf) > { > char *outbuf = NULL; >@@ -137,10 +163,15 @@ > return; > } > >- if (!prs_init(&ps, 0, NULL, False) >- || !notify_marshall_changes(notify_buf->num_changes, >+ prs_init(&ps, 0, NULL, False); >+ >+ if (!notify_marshall_changes(notify_buf->num_changes, max_param, > notify_buf->changes, &ps)) { >- change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); >+ /* >+ * We exceed what the client is willing to accept. Send >+ * nothing. >+ */ >+ change_notify_reply_packet(request_buf, NT_STATUS_OK); > goto done; > } > >@@ -206,7 +237,7 @@ > return status; > } > >-NTSTATUS change_notify_add_request(const char *inbuf, >+NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, > uint32 filter, BOOL recursive, > struct files_struct *fsp) > { >@@ -223,11 +254,11 @@ > map->req = request; > > memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); >- request->current_bufsize = 0; >+ request->max_param = max_param; > request->filter = filter; > request->fsp = fsp; > request->backend_data = NULL; >- >+ > DLIST_ADD_END(fsp->notify->requests, request, > struct notify_change_request *); > >@@ -399,6 +430,7 @@ > */ > > change_notify_reply(fsp->notify->requests->request_buf, >+ fsp->notify->requests->max_param, > fsp->notify); > > change_notify_remove_request(fsp->notify->requests); >diff -u -r source-orig/smbd/nttrans.c source/smbd/nttrans.c >--- source-orig/smbd/nttrans.c 2007-06-19 10:11:34.000000000 -0700 >+++ source/smbd/nttrans.c 2007-07-17 15:58:00.916313000 -0700 >@@ -1979,7 +1979,7 @@ > * here. > */ > >- change_notify_reply(inbuf, fsp->notify); >+ change_notify_reply(inbuf, max_param_count, fsp->notify); > > /* > * change_notify_reply() above has independently sent its >@@ -1992,7 +1992,8 @@ > * No changes pending, queue the request > */ > >- status = change_notify_add_request(inbuf, filter, recursive, fsp); >+ status = change_notify_add_request(inbuf, max_param_count, filter, >+ recursive, fsp); > if (!NT_STATUS_IS_OK(status)) { > return ERROR_NT(status); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 4796
:
2825
| 2827 |
2828