Author: jra Date: 2007-04-03 04:52:09 +0000 (Tue, 03 Apr 2007) New Revision: 22050
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22050 Log: Fix a couple of off-by-one errors in the rap call patch. Jerry, this works now for displaying shares on Win9x (and hopefully everything else as well :-). Jeremy. Modified: branches/SAMBA_3_0/source/lib/util.c branches/SAMBA_3_0/source/smbd/lanman.c branches/SAMBA_3_0_25/source/lib/util.c branches/SAMBA_3_0_25/source/smbd/lanman.c Changeset: Modified: branches/SAMBA_3_0/source/lib/util.c =================================================================== --- branches/SAMBA_3_0/source/lib/util.c 2007-04-02 23:07:06 UTC (rev 22049) +++ branches/SAMBA_3_0/source/lib/util.c 2007-04-03 04:52:09 UTC (rev 22050) @@ -3127,6 +3127,8 @@ /**************************************************************** Check if an offset into a buffer is safe. + If this returns True it's safe to indirect into the byte at + pointer ptr+off. ****************************************************************/ BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off) @@ -3180,10 +3182,14 @@ int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval) { - if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) { + /* + * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1], + * NOT ptr[2]. + */ + if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) { return failval; } - return SVAL(ptr,0); + return SVAL(ptr,off); } /**************************************************************** @@ -3192,8 +3198,12 @@ int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval) { - if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) { + /* + * Note we use off+3 here, not off+4 as IVAL accesses + * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4]. + */ + if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) { return failval; } - return IVAL(ptr,0); + return IVAL(ptr,off); } Modified: branches/SAMBA_3_0/source/smbd/lanman.c =================================================================== --- branches/SAMBA_3_0/source/smbd/lanman.c 2007-04-02 23:07:06 UTC (rev 22049) +++ branches/SAMBA_3_0/source/smbd/lanman.c 2007-04-03 04:52:09 UTC (rev 22050) @@ -2365,7 +2365,11 @@ memset(pass1,'\0',sizeof(pass1)); memset(pass2,'\0',sizeof(pass2)); - if (!is_offset_safe(param,tpscnt,p,32)) { + /* + * We use 31 here not 32 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,31)) { return False; } memcpy(pass1,p,16); @@ -2537,7 +2541,11 @@ if (!str1 || !str2 || !p) { return False; } - if (!is_offset_safe(param,tpscnt,p,2)) { + /* + * We use 1 here not 2 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,1)) { return False; } if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid)) @@ -2701,7 +2709,11 @@ if (!str1 || !str2 || !p) { return False; } - if (!is_offset_safe(param,tpscnt,p,2)) { + /* + * We use 1 here not 2 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,1)) { return False; } if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid)) Modified: branches/SAMBA_3_0_25/source/lib/util.c =================================================================== --- branches/SAMBA_3_0_25/source/lib/util.c 2007-04-02 23:07:06 UTC (rev 22049) +++ branches/SAMBA_3_0_25/source/lib/util.c 2007-04-03 04:52:09 UTC (rev 22050) @@ -3115,6 +3115,8 @@ /**************************************************************** Check if an offset into a buffer is safe. + If this returns True it's safe to indirect into the byte at + pointer ptr+off. ****************************************************************/ BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off) @@ -3168,10 +3170,14 @@ int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval) { - if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) { + /* + * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1], + * NOT ptr[2]. + */ + if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) { return failval; } - return SVAL(ptr,0); + return SVAL(ptr,off); } /**************************************************************** @@ -3180,8 +3186,12 @@ int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval) { - if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) { + /* + * Note we use off+3 here, not off+4 as IVAL accesses + * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4]. + */ + if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) { return failval; } - return IVAL(ptr,0); + return IVAL(ptr,off); } Modified: branches/SAMBA_3_0_25/source/smbd/lanman.c =================================================================== --- branches/SAMBA_3_0_25/source/smbd/lanman.c 2007-04-02 23:07:06 UTC (rev 22049) +++ branches/SAMBA_3_0_25/source/smbd/lanman.c 2007-04-03 04:52:09 UTC (rev 22050) @@ -2364,7 +2364,11 @@ memset(pass1,'\0',sizeof(pass1)); memset(pass2,'\0',sizeof(pass2)); - if (!is_offset_safe(param,tpscnt,p,32)) { + /* + * We use 31 here not 32 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,31)) { return False; } memcpy(pass1,p,16); @@ -2536,7 +2540,11 @@ if (!str1 || !str2 || !p) { return False; } - if (!is_offset_safe(param,tpscnt,p,2)) { + /* + * We use 1 here not 2 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,1)) { return False; } if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid)) @@ -2700,7 +2708,11 @@ if (!str1 || !str2 || !p) { return False; } - if (!is_offset_safe(param,tpscnt,p,2)) { + /* + * We use 1 here not 2 as we're checking + * the last byte we want to access is safe. + */ + if (!is_offset_safe(param,tpscnt,p,1)) { return False; } if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
