The branch, v3-2-test has been updated via 2d3ff9c502105f92720131355b41e48be8d656c2 (commit) from 1c71546b6152d2930b98f766311bbd161ee0ee4e (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log ----------------------------------------------------------------- commit 2d3ff9c502105f92720131355b41e48be8d656c2 Author: Jeremy Allison <[EMAIL PROTECTED]> Date: Thu Nov 1 22:24:39 2007 -0700 Be careful and take care of the correct lengths in large writeX calls. Jeremy. ----------------------------------------------------------------------- Summary of changes: source/smbd/reply.c | 16 +++++++--------- 1 files changed, 7 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/reply.c b/source/smbd/reply.c index d4f3f1f..c83066d 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -3912,7 +3912,6 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) unsigned int smb_doff; unsigned int smblen; char *data; - bool large_writeX; NTSTATUS status; START_PROFILE(SMBwriteX); @@ -3926,12 +3925,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) numtowrite = SVAL(req->inbuf,smb_vwv10); smb_doff = SVAL(req->inbuf,smb_vwv11); smblen = smb_len(req->inbuf); - large_writeX = (req->wct == 14 && - (smblen > 0xFFFF || req->unread_bytes > 0xFFFF)); - /* Deal with possible LARGE_WRITEX */ - if (large_writeX) { - numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16); + if (req->unread_bytes > 0xFFFF || + (smblen > smb_doff + 4 && + smblen - smb_doff + 4 > 0xFFFF)) { + numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16); } if (req->unread_bytes) { @@ -3941,7 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } } else { - if (smb_doff > smblen || smb_doff + numtowrite > smblen) { + if (smb_doff + 4 > smblen || smb_doff + 4 + numtowrite < numtowrite || + smb_doff + 4 + numtowrite > smblen) { reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; @@ -4032,8 +4031,7 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) reply_outbuf(req, 6, 0); SSVAL(req->outbuf,smb_vwv2,nwritten); - if (large_writeX) - SSVAL(req->outbuf,smb_vwv4,(nwritten>>16)&1); + SSVAL(req->outbuf,smb_vwv4,nwritten>>16); if (nwritten < (ssize_t)numtowrite) { SCVAL(req->outbuf,smb_rcls,ERRHRD); -- Samba Shared Repository