sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code

r3493: fixed a bug in readx reply where the client specifies an invalid high

Browse Source 
part of the maxcnt. This caused an allocation failure and server exit.

Note: we need to go back over all the places in the core smb_server
that can cause allocation failures based on user input and fix them to
instead produce a SMB error.

Thanks to Susan for finding this bug.
This commit is contained in:
Andrew Tridgell 2004-11-02 22:01:11 +00:00 committed by Gerald (Jerry) Carter
parent 640e3a8ce8
commit 4aed1b7921
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source/smb_server/reply.c
View File

@ -892,8 +892,14 @@ void reply_read_and_X(struct smbsrv_request *req)
io->readx.in.offset = IVAL(req->in.vwv, VWV(3));
io->readx.in.maxcnt = SVAL(req->in.vwv, VWV(5));
io->readx.in.mincnt = SVAL(req->in.vwv, VWV(6));
io->readx.in.maxcnt |= IVAL(req->in.vwv, VWV(7)) << 16;
io->readx.in.remaining = SVAL(req->in.vwv, VWV(9));
if (req->smb_conn->negotiate.client_caps & CAP_LARGE_READX) {
uint32_t high_part = IVAL(req->in.vwv, VWV(7));
if (high_part == 1) {
io->readx.in.maxcnt |= high_part << 16;
}
}
/* the 64 bit variant */
if (req->in.wct == 12) {