The Samba-Bugzilla – Attachment 9792 Details for
Bug 10422
max xmit > 64kb leads in segmentation fault
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-1-test
tmp41.diff (text/plain), 23.35 KB, created by
Stefan Metzmacher
on 2014-03-20 15:25:26 UTC
(
hide
)
Description:
Patches for v4-1-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2014-03-20 15:25:26 UTC
Size:
23.35 KB
patch
obsolete
>From 1bbff2413bbfe95dabf6c992ffdaa5dfbc03dec8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 19 Feb 2014 13:54:44 +0100 >Subject: [PATCH 01/17] s3:utils/smbfilter: use a local variable for the > packet buffer > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 3667a2eee388915fca2b894ae37375eeed46e941) >--- > source3/utils/smbfilter.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c >index 33f1a90..734971b 100644 >--- a/source3/utils/smbfilter.c >+++ b/source3/utils/smbfilter.c >@@ -35,7 +35,6 @@ > #define CLI_CAPABILITY_SET 0 > > static char *netbiosname; >-static char packet[BUFFER_SIZE]; > > static void save_file(const char *fname, void *ppacket, size_t length) > { >@@ -178,6 +177,7 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) > { > NTSTATUS status; > int s = -1; >+ uint8_t packet[128*1024]; > > /* we have a connection from a new client, now connect to the server */ > status = open_socket_out(dest_ss, TCP_SMB_PORT, LONG_CONNECT_TIMEOUT, &s); >-- >1.7.9.5 > > >From 36d0ea1da35f7ebebbd63ae9c61dcfc598989853 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 19 Feb 2014 13:56:06 +0100 >Subject: [PATCH 02/17] s3:torture: use CLI_BUFFER_SIZE instead of BUFFER_SIZE > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 05e821b220328b88dd9eece919b8adee3e4281ac) >--- > source3/torture/torture.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index b7badc6..197f71f 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -3087,7 +3087,7 @@ static bool run_randomipc(int dummy) > > cli_api(cli, > param, param_len, 8, >- NULL, 0, BUFFER_SIZE, >+ NULL, 0, CLI_BUFFER_SIZE, > &rparam, &rprcnt, > &rdata, &rdrcnt); > if (i % 100 == 0) { >-- >1.7.9.5 > > >From fe178e2c22a8e13cbe76f23513426b8744c075b6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 19 Feb 2014 13:57:28 +0100 >Subject: [PATCH 03/17] s3:client: only limit the buffer by the given length > 'n' > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit f0f245f4c8b1a506e8d06c72d3d6680b95738714) >--- > source3/client/client.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/client/client.c b/source3/client/client.c >index afa5847..b4a3031 100644 >--- a/source3/client/client.c >+++ b/source3/client/client.c >@@ -232,7 +232,7 @@ static int readfile(uint8_t *b, int n, XFILE *f) > return x_fread(b,1,n,f); > > i = 0; >- while (i < (n - 1) && (i < BUFFER_SIZE)) { >+ while (i < (n - 1)) { > if ((c = x_getc(f)) == EOF) { > break; > } >-- >1.7.9.5 > > >From f2ceb1975f9eedb7ac57b874f5508a1c30fb22a3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 19 Feb 2014 13:59:07 +0100 >Subject: [PATCH 04/17] s3:param: avoid using BUFFER_SIZE to limit the > lp_min_receive_file_size() > >There's really no reason to add such limit. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 74f8c3568a5dcdee108a0526cefac9d282361044) >--- > source3/param/loadparm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index b9945ac..a339a1d 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -5467,7 +5467,7 @@ int lp_min_receive_file_size(void) > if (Globals.iminreceivefile < 0) { > return 0; > } >- return MIN(Globals.iminreceivefile, BUFFER_SIZE); >+ return Globals.iminreceivefile; > } > > /******************************************************************* >-- >1.7.9.5 > > >From dc7d5c5cb52788dafdb5ac0b4d0f987d74a1e2be Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:28:35 +0100 >Subject: [PATCH 05/17] libcli/smb: add SMB_BUFFER_SIZE_MIN/MAX defines > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 900839e2216048a614f2f0aeb1f79092fc93334f) >--- > libcli/smb/smb_constants.h | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h >index 8a3ef72..175ffaf 100644 >--- a/libcli/smb/smb_constants.h >+++ b/libcli/smb/smb_constants.h >@@ -208,6 +208,14 @@ enum smb_signing_setting { > #define NEGOTIATE_SECURITY_SIGNATURES_ENABLED 0x04 > #define NEGOTIATE_SECURITY_SIGNATURES_REQUIRED 0x08 > >+/* >+ * The negotiated buffer size for non LARGE_READX/WRITEX >+ * should be limited to uint16_t and has to be at least >+ * 500, which is the default for MinClientBufferSize on Windows. >+ */ >+#define SMB_BUFFER_SIZE_MIN 500 >+#define SMB_BUFFER_SIZE_MAX 65535 >+ > /* Capabilities. see ftp.microsoft.com/developr/drg/cifs/cifs/cifs4.txt */ > > #define CAP_RAW_MODE 0x00000001 >-- >1.7.9.5 > > >From 007a46e314439a2443023de74e490cb196769712 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:57:15 +0100 >Subject: [PATCH 06/17] s3:include: let CLI_BUFFER_SIZE be an alias of > SMB_BUFFER_SIZE_MAX > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 7f3faa1f1837870195352253fe220e0677565d9e) >--- > source3/include/client.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/include/client.h b/source3/include/client.h >index 6c20843..3f92d6d 100644 >--- a/source3/include/client.h >+++ b/source3/include/client.h >@@ -22,7 +22,7 @@ > #ifndef _CLIENT_H > #define _CLIENT_H > >-#define CLI_BUFFER_SIZE (0xFFFF) >+#define CLI_BUFFER_SIZE SMB_BUFFER_SIZE_MAX > > /* default client timeout to 20 seconds on most commands */ > #define CLIENT_TIMEOUT (20 * 1000) >-- >1.7.9.5 > > >From 6966c885ec1432e897cbc98171bf00abf1227434 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:45:35 +0100 >Subject: [PATCH 07/17] s3:smbd: use SMB_BUFFER_SIZE_MIN/MAX to limit > lp_max_xmit() > >The current limit of 128*1024 causes problems as the value has to be ><= UINT16_MAX otherwise some clients get confused, as they want to >use the MaxBufferSize value from the negprot response (uint32_t) >for the MaxBufferSize value in thet session setup request (uint16_t). >E.g. Windows 7 (as client) sends MaxBufferSize = 0 if the server value >is > UINT16_MAX. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit a349b0bef9085fd139640ec92399bc63d8029cb9) >--- > source3/smbd/process.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index 48dbfa1..02a219e 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -3367,6 +3367,7 @@ void smbd_process(struct tevent_context *ev_ctx, > const char *remaddr = NULL; > char *rhost; > int ret; >+ int tmp; > > conn = talloc_zero(ev_ctx, struct smbXsrv_connection); > if (conn == NULL) { >@@ -3655,7 +3656,11 @@ void smbd_process(struct tevent_context *ev_ctx, > > sconn->nbt.got_session = false; > >- sconn->smb1.negprot.max_recv = MIN(lp_max_xmit(),BUFFER_SIZE); >+ tmp = lp_max_xmit(); >+ tmp = MAX(tmp, SMB_BUFFER_SIZE_MIN); >+ tmp = MIN(tmp, SMB_BUFFER_SIZE_MAX); >+ >+ sconn->smb1.negprot.max_recv = tmp; > > sconn->smb1.sessions.done_sesssetup = false; > sconn->smb1.sessions.max_send = BUFFER_SIZE; >-- >1.7.9.5 > > >From c5efb3847fec7b58e9e7e1a11f13641ecdcd2422 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:50:49 +0100 >Subject: [PATCH 08/17] s3:smbd: use sconn->smb1.sessions.max_send = > SMB_BUFFER_SIZE_MAX > >SMB_BUFFER_SIZE_MAX is UINT16_MAX and the largest value a client >can possibly specify in the session setup request. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 5cd5c1613996ecebdcd632e932957947f4c27308) >--- > source3/smbd/process.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index 02a219e..50c41ea 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -3663,7 +3663,7 @@ void smbd_process(struct tevent_context *ev_ctx, > sconn->smb1.negprot.max_recv = tmp; > > sconn->smb1.sessions.done_sesssetup = false; >- sconn->smb1.sessions.max_send = BUFFER_SIZE; >+ sconn->smb1.sessions.max_send = SMB_BUFFER_SIZE_MAX; > > if (!init_dptrs(sconn)) { > exit_server("init_dptrs() failed"); >-- >1.7.9.5 > > >From a69a68b25ebb1b0aec2b8912186967c8a9a670da Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:52:09 +0100 >Subject: [PATCH 09/17] s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN > (500) in a session setup request > >This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit cce1eaea91088efd742891befdaafade0c1fdce6) >--- > source3/smbd/sesssetup.c | 19 +++++++++++++------ > 1 file changed, 13 insertions(+), 6 deletions(-) > >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 4728759..5128328 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -379,10 +379,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > } > > if (!sconn->smb1.sessions.done_sesssetup) { >- sconn->smb1.sessions.max_send = >- MIN(sconn->smb1.sessions.max_send,smb_bufsize); >+ if (smb_bufsize < SMB_BUFFER_SIZE_MIN) { >+ reply_force_doserror(req, ERRSRV, ERRerror); >+ return; >+ } >+ sconn->smb1.sessions.max_send = smb_bufsize; >+ sconn->smb1.sessions.done_sesssetup = true; > } >- sconn->smb1.sessions.done_sesssetup = true; > > /* current_user_info is changed on new vuid */ > reload_services(sconn, conn_snum_used, true); >@@ -1084,10 +1087,14 @@ void reply_sesssetup_and_X(struct smb_request *req) > req->vuid = sess_vuid; > > if (!sconn->smb1.sessions.done_sesssetup) { >- sconn->smb1.sessions.max_send = >- MIN(sconn->smb1.sessions.max_send,smb_bufsize); >+ if (smb_bufsize < SMB_BUFFER_SIZE_MIN) { >+ reply_force_doserror(req, ERRSRV, ERRerror); >+ END_PROFILE(SMBsesssetupX); >+ return; >+ } >+ sconn->smb1.sessions.max_send = smb_bufsize; >+ sconn->smb1.sessions.done_sesssetup = true; > } >- sconn->smb1.sessions.done_sesssetup = true; > > END_PROFILE(SMBsesssetupX); > } >-- >1.7.9.5 > > >From 330f6c4b9c13977c41bfaaf5fe96e5ce1d08c8f5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:53:45 +0100 >Subject: [PATCH 10/17] s3:smbd: take less than SMB_BUFFER_SIZE_MIN ('500') as > header overhead in ipc.c > >We're now sure that sconn->smb1.sessions.max_send is >= SMB_BUFFER_SIZE_MIN. >in order to garantee some progress we need to make sure our assumed >header overhead is less than SMB_BUFFER_SIZE_MIN. > >Assuming 372 bytes for the SMBtrans headers should still be more than >enough. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 2ec49cf57c88735be962b0681b487df5efe7ed6b) >--- > source3/smbd/ipc.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > >diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c >index 91d5047..dbb259c 100644 >--- a/source3/smbd/ipc.c >+++ b/source3/smbd/ipc.c >@@ -109,12 +109,14 @@ void send_trans_reply(connection_struct *conn, > int lparam = rparam ? rparam_len : 0; > struct smbd_server_connection *sconn = req->sconn; > int max_send = sconn->smb1.sessions.max_send; >+ /* HACK: make sure we send at least 128 byte in one go */ >+ int hdr_overhead = SMB_BUFFER_SIZE_MIN - 128; > > if (buffer_too_large) > DEBUG(5,("send_trans_reply: buffer %d too large\n", ldata )); > >- this_lparam = MIN(lparam,max_send - 500); /* hack */ >- this_ldata = MIN(ldata,max_send - (500+this_lparam)); >+ this_lparam = MIN(lparam,max_send - hdr_overhead); >+ this_ldata = MIN(ldata,max_send - (hdr_overhead+this_lparam)); > > align = ((this_lparam)%4); > >@@ -163,9 +165,9 @@ void send_trans_reply(connection_struct *conn, > while (tot_data_sent < ldata || tot_param_sent < lparam) > { > this_lparam = MIN(lparam-tot_param_sent, >- max_send - 500); /* hack */ >+ max_send - hdr_overhead); > this_ldata = MIN(ldata -tot_data_sent, >- max_send - (500+this_lparam)); >+ max_send - (hdr_overhead+this_lparam)); > > if(this_lparam < 0) > this_lparam = 0; >-- >1.7.9.5 > > >From 077136406ea43e8f9688613d2810fcb898735c0f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 4 Mar 2014 14:07:26 +0100 >Subject: [PATCH 11/17] s3:smbd: fix lockread numtoread calculation to match > reply_outbuf() arguments. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 3dac00b568613f5a1322883237e40b98ddd1d71d) >--- > source3/smbd/reply.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 6b926fb..35d42e8 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -3500,7 +3500,7 @@ void reply_lockread(struct smb_request *req) > numtoread = SVAL(req->vwv+1, 0); > startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); > >- numtoread = MIN(BUFFER_SIZE - (smb_size + 3*2 + 3), numtoread); >+ numtoread = MIN(BUFFER_SIZE - (smb_size + 5*2 + 3), numtoread); > > reply_outbuf(req, 5, numtoread + 3); > >-- >1.7.9.5 > > >From ade554398c705df366e76ee9e499718bcc00e93d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 4 Mar 2014 14:07:26 +0100 >Subject: [PATCH 12/17] s3:smbd: pass the final numtoread reply_outbuf() for > the lockread reply. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit b86f90611820bcf7826bd1de3c7b05488a8f1b0e) >--- > source3/smbd/reply.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 35d42e8..0ed5b51 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -3502,10 +3502,6 @@ void reply_lockread(struct smb_request *req) > > numtoread = MIN(BUFFER_SIZE - (smb_size + 5*2 + 3), numtoread); > >- reply_outbuf(req, 5, numtoread + 3); >- >- data = smb_buf(req->outbuf) + 3; >- > /* > * NB. Discovered by Menny Hamburger at Mainsoft. This is a core+ > * protocol request that predates the read/write lock concept. >@@ -3544,6 +3540,11 @@ Returning short read of maximum allowed for compatibility with Windows 2000.\n", > (unsigned int)sconn->smb1.negprot.max_recv)); > numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv); > } >+ >+ reply_outbuf(req, 5, numtoread + 3); >+ >+ data = smb_buf(req->outbuf) + 3; >+ > nread = read_file(fsp,data,startpos,numtoread); > > if (nread < 0) { >-- >1.7.9.5 > > >From b89ef8ab373be097ea309bbbf75e1e031204e32f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 4 Mar 2014 14:07:26 +0100 >Subject: [PATCH 13/17] s3:smbd: fix the lockread numtoread calculation > depending on the max_send. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit f69be2c28e097c66907df264794706006fe0ae7f) >--- > source3/smbd/reply.c | 18 +++++++++--------- > 1 file changed, 9 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 0ed5b51..602eb16 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -3470,6 +3470,7 @@ void reply_lockread(struct smb_request *req) > char *data; > off_t startpos; > size_t numtoread; >+ size_t maxtoread; > NTSTATUS status; > files_struct *fsp; > struct byte_range_lock *br_lck = NULL; >@@ -3500,14 +3501,12 @@ void reply_lockread(struct smb_request *req) > numtoread = SVAL(req->vwv+1, 0); > startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); > >- numtoread = MIN(BUFFER_SIZE - (smb_size + 5*2 + 3), numtoread); >- > /* > * NB. Discovered by Menny Hamburger at Mainsoft. This is a core+ > * protocol request that predates the read/write lock concept. > * Thus instead of asking for a read lock here we need to ask > * for a write lock. JRA. >- * Note that the requested lock size is unaffected by max_recv. >+ * Note that the requested lock size is unaffected by max_send. > */ > > br_lck = do_lock(req->sconn->msg_ctx, >@@ -3530,15 +3529,16 @@ void reply_lockread(struct smb_request *req) > } > > /* >- * However the requested READ size IS affected by max_recv. Insanity.... JRA. >+ * However the requested READ size IS affected by max_send. Insanity.... JRA. > */ >+ maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3); > >- if (numtoread > sconn->smb1.negprot.max_recv) { >- DEBUG(0,("reply_lockread: requested read size (%u) is greater than maximum allowed (%u). \ >+ if (numtoread > maxtoread) { >+ DEBUG(0,("reply_lockread: requested read size (%u) is greater than maximum allowed (%u/%u). \ > Returning short read of maximum allowed for compatibility with Windows 2000.\n", >- (unsigned int)numtoread, >- (unsigned int)sconn->smb1.negprot.max_recv)); >- numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv); >+ (unsigned int)numtoread, (unsigned int)maxtoread, >+ (unsigned int)sconn->smb1.sessions.max_send)); >+ numtoread = maxtoread; > } > > reply_outbuf(req, 5, numtoread + 3); >-- >1.7.9.5 > > >From 62135f8463a08dcb320d3648d01fd02c38786162 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 4 Mar 2014 14:07:26 +0100 >Subject: [PATCH 14/17] s3:smbd: fix the read numtoread calculation depending > on the max_send. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 8b746f5a2137b74e28bce5370f5aa9d4bcdac6c2) >--- > source3/smbd/reply.c | 18 +++++++++--------- > 1 file changed, 9 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 602eb16..5b4c20d 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -3579,10 +3579,10 @@ void reply_read(struct smb_request *req) > { > connection_struct *conn = req->conn; > size_t numtoread; >+ size_t maxtoread; > ssize_t nread = 0; > char *data; > off_t startpos; >- int outsize = 0; > files_struct *fsp; > struct lock_struct lock; > struct smbd_server_connection *sconn = req->sconn; >@@ -3611,17 +3611,17 @@ void reply_read(struct smb_request *req) > numtoread = SVAL(req->vwv+1, 0); > startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); > >- numtoread = MIN(BUFFER_SIZE-outsize,numtoread); >- > /* >- * The requested read size cannot be greater than max_recv. JRA. >+ * The requested read size cannot be greater than max_send. JRA. > */ >- if (numtoread > sconn->smb1.negprot.max_recv) { >- DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u). \ >+ maxtoread = sconn->smb1.sessions.max_send - (smb_size + 5*2 + 3); >+ >+ if (numtoread > maxtoread) { >+ DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \ > Returning short read of maximum allowed for compatibility with Windows 2000.\n", >- (unsigned int)numtoread, >- (unsigned int)sconn->smb1.negprot.max_recv)); >- numtoread = MIN(numtoread, sconn->smb1.negprot.max_recv); >+ (unsigned int)numtoread, (unsigned int)maxtoread, >+ (unsigned int)sconn->smb1.sessions.max_send)); >+ numtoread = maxtoread; > } > > reply_outbuf(req, 5, numtoread+3); >-- >1.7.9.5 > > >From 1baad40437cf2e7e389430ba160277582335c7af Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 5 Mar 2014 14:00:40 +0100 >Subject: [PATCH 15/17] s3:smbd: simplify maxentries calculation in > reply_search() > >Using helper variables make it much easier to understand. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 734e1b65044a33eba01b41695502c2257c1a4d9e) >--- > source3/smbd/reply.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 5b4c20d..7555417 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -1698,11 +1698,10 @@ void reply_search(struct smb_request *req) > } > } else { > unsigned int i; >- maxentries = MIN( >- maxentries, >- ((BUFFER_SIZE - >- ((uint8 *)smb_buf(req->outbuf) + 3 - req->outbuf)) >- /DIR_STRUCT_SIZE)); >+ size_t hdr_size = ((uint8_t *)smb_buf(req->outbuf) + 3 - req->outbuf); >+ size_t available_space = BUFFER_SIZE - hdr_size; >+ >+ maxentries = MIN(maxentries, available_space/DIR_STRUCT_SIZE); > > DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n", > directory,lp_dontdescend(ctx, SNUM(conn)))); >-- >1.7.9.5 > > >From 26c7b1061ad983c69e93944f4e3a6348ad3ea4fa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 5 Mar 2014 14:03:42 +0100 >Subject: [PATCH 16/17] s3:smbd: fix the maxentries calculation depending on > the max_send. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit c899d4fd9c5a337ab82acdf11866df50fb0629e0) >--- > source3/smbd/reply.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 7555417..055efd3 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -1699,7 +1699,7 @@ void reply_search(struct smb_request *req) > } else { > unsigned int i; > size_t hdr_size = ((uint8_t *)smb_buf(req->outbuf) + 3 - req->outbuf); >- size_t available_space = BUFFER_SIZE - hdr_size; >+ size_t available_space = sconn->smb1.sessions.max_send - hdr_size; > > maxentries = MIN(maxentries, available_space/DIR_STRUCT_SIZE); > >-- >1.7.9.5 > > >From 56f3fe64bd327aacecf5a92ac4357d0e04ff429e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 6 Dec 2013 13:56:12 +0100 >Subject: [PATCH 17/17] s3:smbd: s/BUFFER_SIZE/LARGE_WRITEX_BUFFER_SIZE > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422 >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Mar 5 22:53:34 CET 2014 on sn-devel-104 >(cherry picked from commit 032621d5bf842e60dc9cd1cd0d3acc90482462a6) >--- > source3/include/smb.h | 4 +--- > source3/smbd/process.c | 2 +- > 2 files changed, 2 insertions(+), 4 deletions(-) > >diff --git a/source3/include/smb.h b/source3/include/smb.h >index 64ea568..7ff997e 100644 >--- a/source3/include/smb.h >+++ b/source3/include/smb.h >@@ -32,11 +32,9 @@ > /* logged when starting the various Samba daemons */ > #define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2013" > >- >-#define BUFFER_SIZE (128*1024) >- > #define SAFETY_MARGIN 1024 > #define LARGE_WRITEX_HDR_SIZE 65 >+#define LARGE_WRITEX_BUFFER_SIZE (128*1024) > > #define NMB_PORT 137 > #define DGRAM_PORT 138 >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index 50c41ea..45bde2f 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -244,7 +244,7 @@ static bool valid_packet_size(size_t len) > * of header. Don't print the error if this fits.... JRA. > */ > >- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { >+ if (len > (LARGE_WRITEX_BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { > DEBUG(0,("Invalid packet length! (%lu bytes).\n", > (unsigned long)len)); > return false; >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 10422
:
9673
|
9690
|
9691
|
9698
| 9792 |
9793