The Samba-Bugzilla – Attachment 2976 Details for
Bug 5087
Crash of smbd after upgrade to 3.0.27
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 3.0.27a
look (text/plain), 9.58 KB, created by
Jeremy Allison
on 2007-11-16 15:18:11 UTC
(
hide
)
Description:
Patch for 3.0.27a
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2007-11-16 15:18:11 UTC
Size:
9.58 KB
patch
obsolete
>diff -u -r source-orig/smbd/negprot.c source/smbd/negprot.c >--- source-orig/smbd/negprot.c 2007-11-14 19:15:04.000000000 -0800 >+++ source/smbd/negprot.c 2007-11-16 11:53:31.000000000 -0800 >@@ -346,7 +346,7 @@ > SCVAL(outbuf,smb_vwv16+1,8); > p += 8; > } >- p += srvstr_push(outbuf, p, lp_workgroup(), -1, >+ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), > STR_UNICODE|STR_TERMINATE|STR_NOALIGN); > DEBUG(3,("not using SPNEGO\n")); > } else { >diff -u -r source-orig/smbd/reply.c source/smbd/reply.c >--- source-orig/smbd/reply.c 2007-11-14 19:15:04.000000000 -0800 >+++ source/smbd/reply.c 2007-11-16 11:56:03.000000000 -0800 >@@ -524,7 +524,7 @@ > if (Protocol < PROTOCOL_NT1) { > set_message(outbuf,2,0,True); > p = smb_buf(outbuf); >- p += srvstr_push(outbuf, p, server_devicetype, -1, >+ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), > STR_TERMINATE|STR_ASCII); > set_message_end(outbuf,p); > } else { >@@ -554,9 +554,9 @@ > } > > p = smb_buf(outbuf); >- p += srvstr_push(outbuf, p, server_devicetype, -1, >+ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), > STR_TERMINATE|STR_ASCII); >- p += srvstr_push(outbuf, p, fstype, -1, >+ p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf), > STR_TERMINATE); > > set_message_end(outbuf,p); >@@ -1766,7 +1766,7 @@ > thing in the byte section. JRA */ > SSVALS(p, 0, -1); /* what is this? not in spec */ > #endif >- namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE); >+ namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE); > p += namelen; > outsize = set_message_end(outbuf, p); > >diff -u -r source-orig/smbd/srvstr.c source/smbd/srvstr.c >--- source-orig/smbd/srvstr.c 2007-11-14 19:15:04.000000000 -0800 >+++ source/smbd/srvstr.c 2007-11-16 11:41:16.000000000 -0800 >@@ -28,17 +28,10 @@ > const char *base_ptr, void *dest, > const char *src, int dest_len, int flags) > { >- size_t buf_used = PTR_DIFF(dest, base_ptr); >- if (dest_len == -1) { >- if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) { >-#if 0 >- DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n")); >-#endif >- return push_string_fn(function, line, base_ptr, dest, src, -1, flags); >- } >- return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags); >+ if (dest_len < 0) { >+ return 0; > } >- >+ > /* 'normal' push into size-specified buffer */ > return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags); > } >diff -u -r source-orig/smbd/trans2.c source/smbd/trans2.c >--- source-orig/smbd/trans2.c 2007-11-14 19:15:04.000000000 -0800 >+++ source/smbd/trans2.c 2007-11-16 11:47:47.000000000 -0800 >@@ -1283,7 +1283,7 @@ > p += 23; > nameptr = p; > p += align_string(outbuf, p, 0); >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); > if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { > if (len > 2) { > SCVAL(nameptr, -1, len - 2); >@@ -1318,7 +1318,7 @@ > } > p += 27; > nameptr = p - 1; >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); > if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { > if (len > 2) { > len -= 2; >@@ -1372,9 +1372,9 @@ > } > > /* Push the ea_data followed by the name. */ >- p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list); >+ p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list); > nameptr = p; >- len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN); >+ len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); > if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { > if (len > 2) { > len -= 2; >@@ -1431,7 +1431,7 @@ > memset(p,'\0',26); > } > p += 2 + 24; >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(q,0,len); > p += len; > SIVAL(p,0,0); /* Ensure any padding is null. */ >@@ -1452,7 +1452,7 @@ > SOFF_T(p,0,file_size); p += 8; > SOFF_T(p,0,allocation_size); p += 8; > SIVAL(p,0,nt_extmode); p += 4; >- len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(p,0,len); > p += 4 + len; > SIVAL(p,0,0); /* Ensure any padding is null. */ >@@ -1479,7 +1479,7 @@ > SIVAL(p,0,ea_size); /* Extended attributes */ > p +=4; > } >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(q, 0, len); > p += len; > >@@ -1497,7 +1497,7 @@ > p += 4; > /* this must *not* be null terminated or w2k gets in a loop trying to set an > acl on a dir (tridge) */ >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(p, -4, len); > p += len; > SIVAL(p,0,0); /* Ensure any padding is null. */ >@@ -1527,7 +1527,7 @@ > SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */ > SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ > SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(q, 0, len); > p += len; > SIVAL(p,0,0); /* Ensure any padding is null. */ >@@ -1578,7 +1578,7 @@ > SSVAL(p,0,0); p += 2; /* Reserved ? */ > SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ > SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); > SIVAL(q,0,len); > p += len; > SIVAL(p,0,0); /* Ensure any padding is null. */ >@@ -1601,14 +1601,14 @@ > DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX\n")); > p = store_file_unix_basic(conn, p, > NULL, &sbuf); >- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); > } else { > DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX_INFO2\n")); > p = store_file_unix_basic_info2(conn, p, > NULL, &sbuf); > nameptr = p; > p += 4; >- len = srvstr_push(outbuf, p, fname, -1, 0); >+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), 0); > SIVAL(nameptr, 0, len); > } > >@@ -2309,7 +2309,7 @@ > * this call so try fixing this by adding a terminating null to > * the pushed string. The change here was adding the STR_TERMINATE. JRA. > */ >- len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE); >+ len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE); > SCVAL(pdata,l2_vol_cch,len); > data_len = l2_vol_szVolLabel + len; > DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n", >@@ -2331,14 +2331,14 @@ > SIVAL(pdata,4,255); /* Max filename component length */ > /* NOTE! the fstype must *not* be null terminated or win98 won't recognise it > and will think we can't do long filenames */ >- len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE); >+ len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE); > SIVAL(pdata,8,len); > data_len = 12 + len; > break; > > case SMB_QUERY_FS_LABEL_INFO: > case SMB_FS_LABEL_INFORMATION: >- len = srvstr_push(outbuf, pdata+4, vname, -1, 0); >+ len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0); > data_len = 4 + len; > SIVAL(pdata,0,len); > break; >@@ -2354,7 +2354,7 @@ > (str_checksum(get_local_machine_name())<<16)); > > /* Max label len is 32 characters. */ >- len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE); >+ len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE); > SIVAL(pdata,12,len); > data_len = 18+len; > >@@ -3589,7 +3589,7 @@ > if(!mangle_is_8_3(short_name, True, conn->params)) { > mangle_map(short_name,True,True,conn->params); > } >- len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE); >+ len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE); > data_size = 4 + len; > SIVAL(pdata,0,len); > break; >@@ -3599,7 +3599,7 @@ > /* > this must be *exactly* right for ACLs on mapped drives to work > */ >- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); >+ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE); > DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n")); > data_size = 4 + len; > SIVAL(pdata,0,len); >@@ -3640,7 +3640,7 @@ > pdata += 24; > SIVAL(pdata,0,ea_size); > pdata += 4; /* EA info */ >- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); >+ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE); > SIVAL(pdata,0,len); > pdata += 4 + len; > data_size = PTR_DIFF(pdata,(*ppdata)); >@@ -3802,7 +3802,7 @@ > if (len == -1) > return(UNIXERROR(ERRDOS,ERRnoaccess)); > buffer[len] = 0; >- len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE); >+ len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE); > pdata += len; > data_size = PTR_DIFF(pdata,(*ppdata)); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2976">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 5087
:
2974
|
2975
| 2976