The Samba-Bugzilla – Attachment 5773 Details for
Bug 7501
SMB2: CREATE request replies getting mangled.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch.
look3 (text/plain), 3.14 KB, created by
Jeremy Allison
on 2010-06-08 16:57:04 UTC
(
hide
)
Description:
Proposed patch.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-06-08 16:57:04 UTC
Size:
3.14 KB
patch
obsolete
>diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index 009cc77..2ae9b1d 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -529,8 +529,8 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re > memcpy(newreq->out.nbt_hdr, req->out.nbt_hdr, 4); > > for (i = 1; i < count; i += 3) { >- /* i + 0 and i + 1 are always >- * boilerplate. */ >+ /* i + 0 is always boilerplate and must >+ * be allocated with size OUTVEC_ALLOC_SIZE. */ > outvec[i].iov_base = talloc_memdup(outvec, > req->out.vector[i].iov_base, > OUTVEC_ALLOC_SIZE); >@@ -539,19 +539,14 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re > } > outvec[i].iov_len = SMB2_HDR_BODY; > >- outvec[i+1].iov_base = ((uint8_t *)outvec[i].iov_base) + >- SMB2_HDR_BODY; >- outvec[i+1].iov_len = 8; >+ /* i + 1 may have been realloc'ed and may have a length != 8 >+ * so use dup_smb2_vec(). */ > >- if (req->out.vector[i+2].iov_base == >- ((uint8_t *)req->out.vector[i].iov_base) + >- (OUTVEC_ALLOC_SIZE - 1) && >- req->out.vector[i+2].iov_len == 1) { >- /* Common SMB2 error packet case. */ >- outvec[i+2].iov_base = ((uint8_t *)outvec[i].iov_base) + >- (OUTVEC_ALLOC_SIZE - 1); >- outvec[i+2].iov_len = 1; >- } else if (!dup_smb2_vec(outvec, req->out.vector, i+2)) { >+ if (!dup_smb2_vec(outvec, req->out.vector, i+1)) { >+ break; >+ } >+ >+ if (!dup_smb2_vec(outvec, req->out.vector, i+2)) { > break; > } > } >@@ -821,10 +816,17 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, > if (!outvec) { > return NT_STATUS_NO_MEMORY; > } >+ >+ /* 0 is always boilerplate and must >+ * be of size 4 for the length field. */ >+ > outvec[0].iov_base = req->out.nbt_hdr; > outvec[0].iov_len = 4; > SIVAL(req->out.nbt_hdr, 0, 0); > >+ /* i + 0 is always boilerplate and must >+ * be allocated with size OUTVEC_ALLOC_SIZE. */ >+ > outvec[1].iov_base = talloc_memdup(outvec, > req->out.vector[i].iov_base, > OUTVEC_ALLOC_SIZE); >@@ -833,9 +835,34 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, > } > outvec[1].iov_len = SMB2_HDR_BODY; > >- outvec[2].iov_base = ((uint8_t *)outvec[1].iov_base) + >- SMB2_HDR_BODY; >- outvec[2].iov_len = 8; >+ /* >+ * If this is a "standard" i+1 vec of length 8, >+ * pointing to req->out.vector[i].iov_base + SMB2_HDR_BODY, >+ * then duplicate this. Else use talloc_memdup(). >+ */ >+ >+ if (req->out.vector[i+1].iov_len == 8 && >+ req->out.vector[i+1].iov_base == >+ ((uint8_t *)req->out.vector[i].iov_base) + >+ SMB2_HDR_BODY) { >+ outvec[2].iov_base = ((uint8_t *)outvec[1].iov_base) + >+ SMB2_HDR_BODY; >+ outvec[2].iov_len = 8; >+ } else { >+ outvec[2].iov_base = talloc_memdup(outvec, >+ req->out.vector[i+1].iov_base, >+ req->out.vector[i+1].iov_len); >+ if (!outvec[2].iov_base) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ outvec[2].iov_len = req->out.vector[i+1].iov_len; >+ } >+ >+ /* >+ * If this is a "standard" i+2 vec of length 1, >+ * pointing to req->out.vector[i].iov_base + (OUTVEC_ALLOC_SIZE - 1) >+ * then duplicate this. Else use talloc_memdup(). >+ */ > > if (req->out.vector[i+2].iov_base && > req->out.vector[i+2].iov_len) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7501
:
5771
|
5772
|
5773
|
5774