mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test. NB. We need the two (==0) changes in source3/smbd/reply.c as the gcc optimizer now knows that the return from smbreq_bufrem() can never be less than zero. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 Remove knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
This commit is contained in:
parent
ed3f82f4d7
commit
74946420dd
@ -1,2 +0,0 @@
|
||||
^samba3.raw.write.bad-write\(nt4_dc_smb1\)
|
||||
^samba3.raw.write.bad-write\(ad_dc_smb1\)
|
@ -152,7 +152,7 @@
|
||||
|
||||
/* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
|
||||
#define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
|
||||
#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
|
||||
#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
|
||||
|
||||
|
||||
/* Note that chain_size must be available as an extern int to this macro. */
|
||||
|
@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
|
||||
{
|
||||
ssize_t bufrem = smbreq_bufrem(req, src);
|
||||
|
||||
if (bufrem < 0) {
|
||||
if (bufrem == 0) {
|
||||
*err = NT_STATUS_INVALID_PARAMETER;
|
||||
return 0;
|
||||
}
|
||||
@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
|
||||
{
|
||||
ssize_t bufrem = smbreq_bufrem(req, src);
|
||||
|
||||
if (bufrem < 0) {
|
||||
if (bufrem == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user