The Samba-Bugzilla – Attachment 8281 Details for
Bug 9460
Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master, 4.0.0, and 3.6.x.
0001-Fix-bug-9460-Samba-3.6.x-and-Master-respond-incorrec.patch (text/plain), 2.20 KB, created by
Jeremy Allison
on 2012-12-05 01:23:36 UTC
(
hide
)
Description:
git-am fix for master, 4.0.0, and 3.6.x.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-12-05 01:23:36 UTC
Size:
2.20 KB
patch
obsolete
>From f2fc77eec0058960273a15a8723eafa617cec771 Mon Sep 17 00:00:00 2001 >From: Richard Sharpe <realrichardsharpe@gmail.com> >Date: Tue, 4 Dec 2012 17:21:29 -0800 >Subject: [PATCH] Fix bug #9460 - Samba 3.6.x and Master respond incorrectly > to FILE_STREAM_INFO requests. > >Ensure we check the buffer size correctly. >--- > source3/smbd/trans2.c | 23 ++++++++++++++++++++++- > 1 files changed, 22 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 61d755c..9c77f4d 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -4159,7 +4159,7 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams, > unsigned int i; > unsigned int ofs = 0; > >- for (i = 0; i < num_streams && ofs <= max_data_bytes; i++) { >+ for (i = 0; i < num_streams; i++) { > unsigned int next_offset; > size_t namelen; > smb_ucs2_t *namebuf; >@@ -4178,6 +4178,16 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams, > > namelen -= 2; > >+ /* >+ * We cannot overflow ... >+ */ >+ if ((ofs + 24 + namelen) > max_data_bytes) { >+ DEBUG(10, ("refusing to overflow reply at stream %u\n", >+ i)); >+ TALLOC_FREE(namebuf); >+ return STATUS_BUFFER_OVERFLOW; >+ } >+ > SIVAL(data, ofs+4, namelen); > SOFF_T(data, ofs+8, streams[i].size); > SOFF_T(data, ofs+16, streams[i].alloc_size); >@@ -4192,6 +4202,14 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams, > else { > unsigned int align = ndr_align_size(next_offset, 8); > >+ if ((next_offset + align) > max_data_bytes) { >+ DEBUG(10, ("refusing to overflow align " >+ "reply at stream %u\n", >+ i)); >+ TALLOC_FREE(namebuf); >+ return STATUS_BUFFER_OVERFLOW; >+ } >+ > memset(data+next_offset, 0, align); > next_offset += align; > >@@ -4202,6 +4220,8 @@ static NTSTATUS marshall_stream_info(unsigned int num_streams, > ofs = next_offset; > } > >+ DEBUG(10, ("max_data: %u, data_size: %u\n", max_data_bytes, ofs)); >+ > *data_size = ofs; > > return NT_STATUS_OK; >@@ -4801,6 +4821,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, > if (!NT_STATUS_IS_OK(status)) { > DEBUG(10, ("marshall_stream_info failed: %s\n", > nt_errstr(status))); >+ TALLOC_FREE(streams); > return status; > } > >-- >1.7.7.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8281">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
rsharpe
:
review+
Actions:
View
Attachments on
bug 9460
:
8275
|
8276
|
8278
| 8281