Attachment 5773 Details for Bug 7501 – Proposed patch.

[patch] Proposed patch.

look3 (text/plain), 3.14 KB, created by Jeremy Allison on 2010-06-08 16:57:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2010-06-08 16:57:04 UTC

Size: 3.14 KB

patch

obsolete

>diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
>index 009cc77..2ae9b1d 100644
>--- a/source3/smbd/smb2_server.c
>+++ b/source3/smbd/smb2_server.c
>@@ -529,8 +529,8 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re
> 	memcpy(newreq->out.nbt_hdr, req->out.nbt_hdr, 4);
> 
> 	for (i = 1; i < count; i += 3) {
>-		/* i + 0 and i + 1 are always
>-		 * boilerplate. */
>+		/* i + 0 is always boilerplate and must
>+		 * be allocated with size OUTVEC_ALLOC_SIZE. */
> 		outvec[i].iov_base = talloc_memdup(outvec,
> 						req->out.vector[i].iov_base,
> 						OUTVEC_ALLOC_SIZE);
>@@ -539,19 +539,14 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re
> 		}
> 		outvec[i].iov_len = SMB2_HDR_BODY;
> 
>-		outvec[i+1].iov_base = ((uint8_t *)outvec[i].iov_base) +
>-						SMB2_HDR_BODY;
>-		outvec[i+1].iov_len = 8;
>+		/* i + 1 may have been realloc'ed and may have a length !=  8
>+		 * so use dup_smb2_vec(). */
> 
>-		if (req->out.vector[i+2].iov_base ==
>-				((uint8_t *)req->out.vector[i].iov_base) +
>-					(OUTVEC_ALLOC_SIZE - 1) &&
>-				req->out.vector[i+2].iov_len == 1) {
>-			/* Common SMB2 error packet case. */
>-			outvec[i+2].iov_base = ((uint8_t *)outvec[i].iov_base) +
>-				(OUTVEC_ALLOC_SIZE - 1);
>-			outvec[i+2].iov_len = 1;
>-		} else if (!dup_smb2_vec(outvec, req->out.vector, i+2)) {
>+		if (!dup_smb2_vec(outvec, req->out.vector, i+1)) {
>+			break;
>+		}
>+
>+		if (!dup_smb2_vec(outvec, req->out.vector, i+2)) {
> 			break;
> 		}
> 	}
>@@ -821,10 +816,17 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
> 	if (!outvec) {
> 		return NT_STATUS_NO_MEMORY;
> 	}
>+
>+	/* 0 is always boilerplate and must
>+	 * be of size 4 for the length field. */
>+
> 	outvec[0].iov_base = req->out.nbt_hdr;
> 	outvec[0].iov_len = 4;
> 	SIVAL(req->out.nbt_hdr, 0, 0);
> 
>+	/* i + 0 is always boilerplate and must
>+	 * be allocated with size OUTVEC_ALLOC_SIZE. */
>+
> 	outvec[1].iov_base = talloc_memdup(outvec,
> 				req->out.vector[i].iov_base,
> 				OUTVEC_ALLOC_SIZE);
>@@ -833,9 +835,34 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
> 	}
> 	outvec[1].iov_len = SMB2_HDR_BODY;
> 
>-	outvec[2].iov_base = ((uint8_t *)outvec[1].iov_base) +
>-				SMB2_HDR_BODY;
>-	outvec[2].iov_len = 8;
>+	/*
>+	 * If this is a "standard" i+1 vec of length 8,
>+	 * pointing to req->out.vector[i].iov_base + SMB2_HDR_BODY,
>+	 * then duplicate this. Else use talloc_memdup().
>+	 */
>+
>+	if (req->out.vector[i+1].iov_len == 8 &&
>+			req->out.vector[i+1].iov_base ==
>+				((uint8_t *)req->out.vector[i].iov_base) +
>+					SMB2_HDR_BODY) {
>+		outvec[2].iov_base = ((uint8_t *)outvec[1].iov_base) +
>+					SMB2_HDR_BODY;
>+		outvec[2].iov_len = 8;
>+	} else {
>+		outvec[2].iov_base = talloc_memdup(outvec,
>+				req->out.vector[i+1].iov_base,
>+				req->out.vector[i+1].iov_len);
>+		if (!outvec[2].iov_base) {
>+			return NT_STATUS_NO_MEMORY;
>+		}
>+		outvec[2].iov_len = req->out.vector[i+1].iov_len;
>+	}
>+
>+	/*
>+	 * If this is a "standard" i+2 vec of length 1,
>+	 * pointing to req->out.vector[i].iov_base + (OUTVEC_ALLOC_SIZE - 1)
>+	 * then duplicate this. Else use talloc_memdup().
>+	 */
> 
> 	if (req->out.vector[i+2].iov_base &&
> 			req->out.vector[i+2].iov_len) {

Actions: View

Attachments on bug 7501: 5771 | 5772 | 5773 | 5774