The Samba-Bugzilla – Attachment 8766 Details for
Bug 9782
Panic when running 'smbtorture smb.base'
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Consolidated patch
9782.patch (text/plain), 4.88 KB, created by
Volker Lendecke
on 2013-04-12 08:24:02 UTC
(
hide
)
Description:
Consolidated patch
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2013-04-12 08:24:02 UTC
Size:
4.88 KB
patch
obsolete
>From 51400c9d0e4cd82cffac680eaa25ae27f0d2b3d4 Mon Sep 17 00:00:00 2001 >From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Date: Thu, 4 Apr 2013 12:59:36 +0200 >Subject: [PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen > in srvstr_get_path_req_wcard() > >--- > source3/smbd/reply.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index d7b3199..65f9652 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -318,9 +318,16 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req, > char **pp_dest, const char *src, int flags, > NTSTATUS *err, bool *contains_wcard) > { >- return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, req->flags2, >- pp_dest, src, smbreq_bufrem(req, src), >- flags, err, contains_wcard); >+ ssize_t bufrem = smbreq_bufrem(req, src); >+ >+ if (bufrem < 0) { >+ *err = NT_STATUS_INVALID_PARAMETER; >+ return 0; >+ } >+ >+ return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, >+ req->flags2, pp_dest, src, bufrem, flags, >+ err, contains_wcard); > } > > size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, >-- >1.7.9.5 > > >From 12b0f423469dd7e282012ba798117f83c17a76d9 Mon Sep 17 00:00:00 2001 >From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Date: Thu, 4 Apr 2013 13:24:36 +0200 >Subject: [PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a > function > >--- > source3/include/srvstr.h | 9 --------- > source3/smbd/proto.h | 2 ++ > source3/smbd/reply.c | 11 +++++++++++ > 3 files changed, 13 insertions(+), 9 deletions(-) > >diff --git a/source3/include/srvstr.h b/source3/include/srvstr.h >index 7e7d8a2..2c6e7ef 100644 >--- a/source3/include/srvstr.h >+++ b/source3/include/srvstr.h >@@ -19,12 +19,3 @@ > > #define srvstr_pull_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \ > pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) >- >-/* pull a string from the smb_buf part of a packet. In this case the >- string can either be null terminated or it can be terminated by the >- end of the smbbuf area >-*/ >- >-#define srvstr_pull_req_talloc(ctx, req_, dest, src, flags) \ >- pull_string_talloc(ctx, req_->inbuf, req_->flags2, dest, src, \ >- smbreq_bufrem(req_, src), flags) >diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h >index 35ae8a2..319e20e 100644 >--- a/source3/smbd/proto.h >+++ b/source3/smbd/proto.h >@@ -826,6 +826,8 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req, > size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, > char **pp_dest, const char *src, int flags, > NTSTATUS *err); >+size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, >+ char **dest, const char *src, int flags); > bool check_fsp_open(connection_struct *conn, struct smb_request *req, > files_struct *fsp); > bool check_fsp(connection_struct *conn, struct smb_request *req, >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 65f9652..3717f36 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -339,6 +339,17 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, > flags, err, &ignore); > } > >+/* pull a string from the smb_buf part of a packet. In this case the >+ string can either be null terminated or it can be terminated by the >+ end of the smbbuf area >+*/ >+size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, >+ char **dest, const char *src, int flags) >+{ >+ return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src, >+ smbreq_bufrem(req, src), flags); >+} >+ > /**************************************************************************** > Check if we have a correct fsp pointing to a file. Basic check for open fsp. > ****************************************************************************/ >-- >1.7.9.5 > > >From 3ec22f9a2e1b9cdb04badb059a7296caaefd2e9b Mon Sep 17 00:00:00 2001 >From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Date: Thu, 4 Apr 2013 13:29:01 +0200 >Subject: [PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen > in srvstr_pull_req_talloc() > >--- > source3/smbd/reply.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 3717f36..c815a5a 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -346,8 +346,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, > size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, > char **dest, const char *src, int flags) > { >+ ssize_t bufrem = smbreq_bufrem(req, src); >+ >+ if (bufrem < 0) { >+ return 0; >+ } >+ > return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src, >- smbreq_bufrem(req, src), flags); >+ bufrem, flags); > } > > /**************************************************************************** >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
ambi
:
review+
vl
:
review+
Actions:
View
Attachments on
bug 9782
:
8763
|
8764
|
8765
| 8766