sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-04 17:47:26 +03:00
Code

Rewrite the wrap checks to deal with gcc 4.x optimisations.

Browse Source 
Karolin, please pull once Volker has reviewed. Thanks.
Jeremy.
This commit is contained in:
Jeremy Allison 2008-04-07 21:11:16 -07:00
parent a4e3bc2bad
commit 09852899ca
3 changed files with 142 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
source/smbd/ipc.c
View File

@ -498,7 +498,8 @@ void reply_trans(struct smb_request *req)
unsigned int pscnt;
struct trans_state *state;
NTSTATUS result;
int size;
unsigned int size;
unsigned int av_size;
START_PROFILE(SMBtrans);
@ -509,6 +510,7 @@ void reply_trans(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
dsoff = SVAL(req->inbuf, smb_dsoff);
dscnt = SVAL(req->inbuf, smb_dscnt);
psoff = SVAL(req->inbuf, smb_psoff);
@ -567,12 +569,17 @@ void reply_trans(struct smb_request *req)
}
/* null-terminate the slack space */
memset(&state->data[state->total_data], 0, 100);
if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
if (dscnt > state->total_data ||
dsoff+dscnt < dsoff) {
goto bad_param;
if ((smb_base(req->inbuf)+dsoff+dscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
}
if (dsoff > av_size ||
dscnt > av_size ||
dsoff+dscnt > av_size) {
goto bad_param;
}
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@ -592,12 +599,17 @@ void reply_trans(struct smb_request *req)
}
/* null-terminate the slack space */
memset(&state->param[state->total_param], 0, 100);
if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
if (pscnt > state->total_param ||
psoff+pscnt < psoff) {
goto bad_param;
if ((smb_base(req->inbuf)+psoff+pscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
}
if (psoff > av_size ||
pscnt > av_size ||
psoff+pscnt > av_size) {
goto bad_param;
}
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@ -675,7 +687,7 @@ void reply_transs(struct smb_request *req)
connection_struct *conn = req->conn;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
int size;
unsigned int av_size;
START_PROFILE(SMBtranss);
@ -708,7 +720,7 @@ void reply_transs(struct smb_request *req)
if (SVAL(req->inbuf, smb_vwv1) < state->total_data)
state->total_data = SVAL(req->inbuf,smb_vwv1);
size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
pcnt = SVAL(req->inbuf, smb_spscnt);
poff = SVAL(req->inbuf, smb_spsoff);
@ -726,38 +738,38 @@ void reply_transs(struct smb_request *req)
goto bad_param;
if (pcnt) {
if (pdisp+pcnt > state->total_param)
if (pdisp > state->total_param ||
pcnt > state->total_param ||
pdisp+pcnt > state->total_param ||
pdisp+pcnt < pdisp) {
goto bad_param;
if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
goto bad_param;
if (pdisp > state->total_param)
goto bad_param;
if ((smb_base(req->inbuf) + poff + pcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + poff + pcnt
< smb_base(req->inbuf)))
goto bad_param;
if (state->param + pdisp < state->param)
}
if (poff > av_size ||
pcnt > av_size ||
poff+pcnt > av_size ||
poff+pcnt < poff) {
goto bad_param;
}
memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
if (ddisp+dcnt > state->total_data)
if (ddisp > state->total_data ||
dcnt > state->total_data ||
ddisp+dcnt > state->total_data ||
ddisp+dcnt < ddisp) {
goto bad_param;
if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
goto bad_param;
if (ddisp > state->total_data)
goto bad_param;
if ((smb_base(req->inbuf) + doff + dcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + doff + dcnt
< smb_base(req->inbuf)))
goto bad_param;
if (state->data + ddisp < state->data)
}
if (ddisp > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
goto bad_param;
}
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);

89
source/smbd/nttrans.c
View File

@ -2557,14 +2557,15 @@ static void handle_nttrans(connection_struct *conn,
void reply_nttrans(struct smb_request *req)
{
connection_struct *conn = req->conn;
uint32 pscnt;
uint32 psoff;
uint32 dscnt;
uint32 dsoff;
uint32_t pscnt;
uint32_t psoff;
uint32_t dscnt;
uint32_t dsoff;
uint16 function_code;
NTSTATUS result;
struct trans_state *state;
int size;
uint32_t size;
uint32_t av_size;
START_PROFILE(SMBnttrans);
@ -2575,6 +2576,7 @@ void reply_nttrans(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
pscnt = IVAL(req->inbuf,smb_nt_ParameterCount);
psoff = IVAL(req->inbuf,smb_nt_ParameterOffset);
dscnt = IVAL(req->inbuf,smb_nt_DataCount);
@ -2650,12 +2652,17 @@ void reply_nttrans(struct smb_request *req)
END_PROFILE(SMBnttrans);
return;
}
if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
if (dscnt > state->total_data ||
dsoff+dscnt < dsoff) {
goto bad_param;
if ((smb_base(req->inbuf)+dsoff+dscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
}
if (dsoff > av_size ||
dscnt > av_size ||
dsoff+dscnt > av_size) {
goto bad_param;
}
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@ -2672,12 +2679,17 @@ void reply_nttrans(struct smb_request *req)
END_PROFILE(SMBnttrans);
return;
}
if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
if (pscnt > state->total_param ||
psoff+pscnt < psoff) {
goto bad_param;
if ((smb_base(req->inbuf)+psoff+pscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
}
if (psoff > av_size ||
pscnt > av_size ||
psoff+pscnt > av_size) {
goto bad_param;
}
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@ -2749,10 +2761,10 @@ void reply_nttrans(struct smb_request *req)
void reply_nttranss(struct smb_request *req)
{
connection_struct *conn = req->conn;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
int size;
uint32_t av_size;
uint32_t size;
START_PROFILE(SMBnttranss);
@ -2789,6 +2801,7 @@ void reply_nttranss(struct smb_request *req)
}
size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
pcnt = IVAL(req->inbuf,smb_nts_ParameterCount);
poff = IVAL(req->inbuf, smb_nts_ParameterOffset);
@ -2806,38 +2819,38 @@ void reply_nttranss(struct smb_request *req)
goto bad_param;
if (pcnt) {
if (pdisp+pcnt > state->total_param)
if (pdisp > state->total_param ||
pcnt > state->total_param ||
pdisp+pcnt > state->total_param ||
pdisp+pcnt < pdisp) {
goto bad_param;
if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
goto bad_param;
if (pdisp > state->total_param)
goto bad_param;
if ((smb_base(req->inbuf) + poff + pcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + poff + pcnt
< smb_base(req->inbuf)))
goto bad_param;
if (state->param + pdisp < state->param)
}
if (poff > av_size ||
pcnt > av_size ||
poff+pcnt > av_size ||
poff+pcnt < poff) {
goto bad_param;
}
memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
if (ddisp+dcnt > state->total_data)
if (ddisp > state->total_data ||
dcnt > state->total_data ||
ddisp+dcnt > state->total_data ||
ddisp+dcnt < ddisp) {
goto bad_param;
if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
goto bad_param;
if (ddisp > state->total_data)
goto bad_param;
if ((smb_base(req->inbuf) + doff + dcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + doff + dcnt
< smb_base(req->inbuf)))
goto bad_param;
if (state->data + ddisp < state->data)
}
if (ddisp > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
goto bad_param;
}
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);

76
source/smbd/trans2.c
View File

@ -7468,7 +7468,8 @@ void reply_trans2(struct smb_request *req)
unsigned int psoff;
unsigned int pscnt;
unsigned int tran_call;
int size;
unsigned int size;
unsigned int av_size;
struct trans_state *state;
NTSTATUS result;
@ -7486,6 +7487,7 @@ void reply_trans2(struct smb_request *req)
pscnt = SVAL(req->inbuf, smb_pscnt);
tran_call = SVAL(req->inbuf, smb_setup0);
size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
result = allow_new_trans(conn->pending_trans, req->mid);
if (!NT_STATUS_IS_OK(result)) {
@ -7578,12 +7580,17 @@ void reply_trans2(struct smb_request *req)
END_PROFILE(SMBtrans2);
return;
}
if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
if (dscnt > state->total_data ||
dsoff+dscnt < dsoff) {
goto bad_param;
if ((smb_base(req->inbuf)+dsoff+dscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
}
if (dsoff > av_size ||
dscnt > av_size ||
dsoff+dscnt > av_size) {
goto bad_param;
}
memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
}
@ -7601,12 +7608,17 @@ void reply_trans2(struct smb_request *req)
END_PROFILE(SMBtrans2);
return;
}
if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
if (pscnt > state->total_param ||
psoff+pscnt < psoff) {
goto bad_param;
if ((smb_base(req->inbuf)+psoff+pscnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
}
if (psoff > av_size ||
pscnt > av_size ||
psoff+pscnt > av_size) {
goto bad_param;
}
memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
}
@ -7655,7 +7667,8 @@ void reply_transs2(struct smb_request *req)
connection_struct *conn = req->conn;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
struct trans_state *state;
int size;
unsigned int size;
unsigned int av_size;
START_PROFILE(SMBtranss2);
@ -7668,6 +7681,7 @@ void reply_transs2(struct smb_request *req)
}
size = smb_len(req->inbuf)+4;
av_size = smb_len(req->inbuf);
for (state = conn->pending_trans; state != NULL;
state = state->next) {
@ -7706,36 +7720,38 @@ void reply_transs2(struct smb_request *req)
goto bad_param;
if (pcnt) {
if (pdisp+pcnt > state->total_param)
if (pdisp > state->total_param ||
pcnt > state->total_param ||
pdisp+pcnt > state->total_param ||
pdisp+pcnt < pdisp) {
goto bad_param;
if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
goto bad_param;
if (pdisp > state->total_param)
goto bad_param;
if ((smb_base(req->inbuf) + poff + pcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + poff + pcnt < smb_base(req->inbuf)))
goto bad_param;
if (state->param + pdisp < state->param)
}
if (poff > av_size ||
pcnt > av_size ||
poff+pcnt > av_size ||
poff+pcnt < poff) {
goto bad_param;
}
memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,
pcnt);
}
if (dcnt) {
if (ddisp+dcnt > state->total_data)
if (ddisp > state->total_data ||
dcnt > state->total_data ||
ddisp+dcnt > state->total_data ||
ddisp+dcnt < ddisp) {
goto bad_param;
if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
goto bad_param;
if (ddisp > state->total_data)
goto bad_param;
if ((smb_base(req->inbuf) + doff + dcnt
> (char *)req->inbuf + size) ||
(smb_base(req->inbuf) + doff + dcnt < smb_base(req->inbuf)))
goto bad_param;
if (state->data + ddisp < state->data)
}
if (ddisp > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
goto bad_param;
}
memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
dcnt);