The branch, master has been updated
via b35a27b Ensure we can never integer wrap when working on
client-supplied max_data_bytes.
from 852c9ac There are tests all over the SMB1 code to check that
srv_send_smb fails, but it never returns false.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b35a27b77954992fc1e6db446bbfa6cfbb7547a1
Author: Jeremy Allison <j...@samba.org>
Date: Fri Aug 2 17:05:58 2013 -0700
Ensure we can never integer wrap when working on client-supplied
max_data_bytes.
This would only be possible with SMB2, and is already checked in the upper
SMB2 layers, but it really doesn't hurt to have these extra checks at time
of use also.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
Autobuild-User(master): David Disseldorp <dd...@samba.org>
Autobuild-Date(master): Sun Aug 4 16:54:04 CEST 2013 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/trans2.c | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index a216f15..f769104 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2564,6 +2564,11 @@ total_data=%u (should be %u)\n", (unsigned
int)total_data, (unsigned int)IVAL(pd
}
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ goto out;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if(*ppdata == NULL ) {
@@ -2893,6 +2898,11 @@ total_data=%u (should be %u)\n", (unsigned
int)total_data, (unsigned int)IVAL(pd
}
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if(*ppdata == NULL) {
@@ -3150,6 +3160,10 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn,
st = smb_fname.st;
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if (*ppdata == NULL) {
@@ -4368,6 +4382,10 @@ static void call_trans2qpipeinfo(connection_struct *conn,
}
params = *pparams;
SSVAL(params,0,0);
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
*ppdata = (char *)SMB_REALLOC(*ppdata, data_size);
if (*ppdata == NULL ) {
@@ -4449,6 +4467,10 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
nlink -= 1;
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
*ppdata = (char *)SMB_REALLOC(*ppdata, data_size);
if (*ppdata == NULL) {
--
Samba Shared Repository
