The branch, master has been updated
via 20df0f3 s3:libsmb: verify num_setup for SMBnttrans in
cli_pull_trans()
via d3cb61c s3:libsmb: fix compiler warning in cli_pull_trans()
via 48bcb8c s3:libsmb: only align unicode pipe_name (bug #8586)
from 2642f38 s3: Fix bug 8371
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 20df0f34a8670f0dd5f3eaeb74af900f535bbe01
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 18 13:20:43 2011 +0100
s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()
metze
Autobuild-User: Stefan Metzmacher <me...@samba.org>
Autobuild-Date: Fri Nov 18 15:13:52 CET 2011 on sn-devel-104
commit d3cb61cf05485eda26280186bfa3850e2e6bcca9
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 18 13:19:19 2011 +0100
s3:libsmb: fix compiler warning in cli_pull_trans()
metze
commit 48bcb8c846532ccd5489ef705182fb81c5278b04
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 18 08:40:18 2011 +0100
s3:libsmb: only align unicode pipe_name (bug #8586)
metze
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/clitrans.c | 26 ++++++++++++++++++--------
1 files changed, 18 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 4bc9f4a..5c73e2d 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -85,6 +85,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
uint32_t *pdata_disp, uint8_t **pdata)
{
uint32_t param_ofs, data_ofs;
+ uint8_t expected_num_setup;
if (expect_first_reply) {
if ((wct != 0) || (num_bytes != 0)) {
@@ -99,6 +100,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
if (wct < 10) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
+ expected_num_setup = wct - 10;
*ptotal_param = SVAL(vwv + 0, 0);
*ptotal_data = SVAL(vwv + 1, 0);
*pnum_param = SVAL(vwv + 3, 0);
@@ -108,7 +110,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
data_ofs = SVAL(vwv + 7, 0);
*pdata_disp = SVAL(vwv + 8, 0);
*pnum_setup = CVAL(vwv + 9, 0);
- if (wct < 10 + (*pnum_setup)) {
+ if (expected_num_setup < (*pnum_setup)) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
*psetup = vwv + 10;
@@ -118,6 +120,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
if (wct < 18) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
+ expected_num_setup = wct - 18;
*ptotal_param = IVAL(vwv, 3);
*ptotal_data = IVAL(vwv, 7);
*pnum_param = IVAL(vwv, 11);
@@ -127,6 +130,9 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
data_ofs = IVAL(vwv, 27);
*pdata_disp = IVAL(vwv, 31);
*pnum_setup = CVAL(vwv, 35);
+ if (expected_num_setup < (*pnum_setup)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
*psetup = vwv + 18;
break;
@@ -209,14 +215,18 @@ static void cli_trans_format(struct cli_trans_state
*state, uint8_t *pwct,
switch (cmd) {
case SMBtrans:
- pad[0] = 0;
- iov[0].iov_base = (void *)pad;
- iov[0].iov_len = 1;
- iov[1].iov_base = (void *)state->pipe_name_conv;
- iov[1].iov_len = state->pipe_name_conv_len;
+ if (cli_ucs2(state->cli)) {
+ pad[0] = 0;
+ iov[0].iov_base = (void *)pad;
+ iov[0].iov_len = 1;
+ param_offset += 1;
+ iov += 1;
+ }
+ iov[0].iov_base = (void *)state->pipe_name_conv;
+ iov[0].iov_len = state->pipe_name_conv_len;
wct = 14 + state->num_setup;
- param_offset += iov[0].iov_len + iov[1].iov_len;
- iov += 2;
+ param_offset += iov[0].iov_len;
+ iov += 1;
break;
case SMBtrans2:
pad[0] = 0;
--
Samba Shared Repository
