The branch, master has been updated via b35a27b Ensure we can never integer wrap when working on client-supplied max_data_bytes. from 852c9ac There are tests all over the SMB1 code to check that srv_send_smb fails, but it never returns false.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b35a27b77954992fc1e6db446bbfa6cfbb7547a1 Author: Jeremy Allison <j...@samba.org> Date: Fri Aug 2 17:05:58 2013 -0700 Ensure we can never integer wrap when working on client-supplied max_data_bytes. This would only be possible with SMB2, and is already checked in the upper SMB2 layers, but it really doesn't hurt to have these extra checks at time of use also. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Sun Aug 4 16:54:04 CEST 2013 on sn-devel-104 ----------------------------------------------------------------------- Summary of changes: source3/smbd/trans2.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index a216f15..f769104 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2564,6 +2564,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd } } + if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + *ppdata = (char *)SMB_REALLOC( *ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN); if(*ppdata == NULL ) { @@ -2893,6 +2898,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd } } + if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + *ppdata = (char *)SMB_REALLOC( *ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN); if(*ppdata == NULL) { @@ -3150,6 +3160,10 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn, st = smb_fname.st; + if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) { + return NT_STATUS_INVALID_PARAMETER; + } + *ppdata = (char *)SMB_REALLOC( *ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN); if (*ppdata == NULL) { @@ -4368,6 +4382,10 @@ static void call_trans2qpipeinfo(connection_struct *conn, } params = *pparams; SSVAL(params,0,0); + if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN; *ppdata = (char *)SMB_REALLOC(*ppdata, data_size); if (*ppdata == NULL ) { @@ -4449,6 +4467,10 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, nlink -= 1; } + if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) { + return NT_STATUS_INVALID_PARAMETER; + } + data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN; *ppdata = (char *)SMB_REALLOC(*ppdata, data_size); if (*ppdata == NULL) { -- Samba Shared Repository