The Samba-Bugzilla – Attachment 6774 Details for
Bug 8360
smbd fails on access pattern of OS/2 client
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master
0001-s3-Fix-bug-8360.patch (text/plain), 1.92 KB, created by
Volker Lendecke
on 2011-08-11 14:54:48 UTC
(
hide
)
Description:
Patch for master
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2011-08-11 14:54:48 UTC
Size:
1.92 KB
patch
obsolete
>From 004f29226dbbcfd55dc44958b6dae61468a4de7b Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 11 Aug 2011 16:52:22 +0200 >Subject: [PATCH] s3: Fix bug 8360 > >OS/2 sends an unexpected write&x/read&x chain >--- > source3/smbd/process.c | 23 ++++++++++++++++------- > 1 files changed, 16 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index 9f66190..a60d77e 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -2026,15 +2026,24 @@ void chain_reply(struct smb_request *req) > SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen); > > /* >- * Check if the client tries to fool us. The request so far uses the >- * space to the end of the byte buffer in the request just >- * processed. The chain_offset can't point into that area. If that was >- * the case, we could end up with an endless processing of the chain, >- * we would always handle the same request. >+ * Check if the client tries to fool us. The chain offset >+ * needs to point beyond the current request in the chain, it >+ * needs to strictly grow. Otherwise we might be tricked into >+ * an endless loop always processing the same request over and >+ * over again. We used to assume that vwv and the byte buffer >+ * array in a chain are always attached, but OS/2 the >+ * Write&X/Read&X chain puts the Read&X vwv array right behind >+ * the Write&X vwv chain. The Write&X bcc array is put behind >+ * the Read&X vwv array. So now we check whether the chain >+ * offset points strictly behind the previous vwv >+ * array. req->buf points right after the vwv array of the >+ * previous request. See >+ * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more >+ * information. > */ > >- already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf)); >- if (chain_offset < already_used) { >+ already_used = PTR_DIFF(req->buf, smb_base(req->inbuf)); >+ if (chain_offset <= already_used) { > goto error; > } > >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8360
:
6759
|
6767
|
6768
|
6769
| 6774