sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-29 21:47:30 +03:00
Code

r24090: Separate parsing in reply_ntcreate_and_X

Browse Source 
In particular, check if we have enough parameters
This commit is contained in:
Volker Lendecke 2007-07-31 08:37:54 +00:00 committed by Gerald (Jerry) Carter
parent 1bb2b341e2
commit 7a19b3071e
1 changed files with 32 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
source/smbd/nttrans.c
View File

@ -484,13 +484,14 @@ int reply_ntcreate_and_X(connection_struct *conn,
{ {
int result; int result;
pstring fname; pstring fname;
uint32 flags = IVAL(inbuf,smb_ntcreate_Flags); uint32 flags;
uint32 access_mask = IVAL(inbuf,smb_ntcreate_DesiredAccess); uint32 access_mask;
uint32 file_attributes = IVAL(inbuf,smb_ntcreate_FileAttributes); uint32 file_attributes;
uint32 share_access = IVAL(inbuf,smb_ntcreate_ShareAccess); uint32 share_access;
uint32 create_disposition = IVAL(inbuf,smb_ntcreate_CreateDisposition); uint32 create_disposition;
uint32 create_options = IVAL(inbuf,smb_ntcreate_CreateOptions); uint32 create_options;
uint16 root_dir_fid = (uint16)IVAL(inbuf,smb_ntcreate_RootDirectoryFid); uint16 root_dir_fid;
SMB_BIG_UINT allocation_size;
/* Breakout the oplock request bits so we can set the /* Breakout the oplock request bits so we can set the
reply bits separately. */ reply bits separately. */
int oplock_request = 0; int oplock_request = 0;
@ -510,6 +511,25 @@ int reply_ntcreate_and_X(connection_struct *conn,
START_PROFILE(SMBntcreateX); START_PROFILE(SMBntcreateX);
init_smb_request(&req, (uint8 *)inbuf);
if (req.wct < 24) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
flags = IVAL(inbuf,smb_ntcreate_Flags);
access_mask = IVAL(inbuf,smb_ntcreate_DesiredAccess);
file_attributes = IVAL(inbuf,smb_ntcreate_FileAttributes);
share_access = IVAL(inbuf,smb_ntcreate_ShareAccess);
create_disposition = IVAL(inbuf,smb_ntcreate_CreateDisposition);
create_options = IVAL(inbuf,smb_ntcreate_CreateOptions);
root_dir_fid = (uint16)IVAL(inbuf,smb_ntcreate_RootDirectoryFid);
allocation_size = (SMB_BIG_UINT)IVAL(inbuf,smb_ntcreate_AllocationSize);
#ifdef LARGE_SMB_OFF_T
allocation_size |= (((SMB_BIG_UINT)IVAL(inbuf,smb_ntcreate_AllocationSize + 4)) << 32);
#endif
DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x " DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
"file_attributes = 0x%x, share_access = 0x%x, " "file_attributes = 0x%x, share_access = 0x%x, "
"create_disposition = 0x%x create_options = 0x%x " "create_disposition = 0x%x create_options = 0x%x "
@ -522,8 +542,6 @@ int reply_ntcreate_and_X(connection_struct *conn,
(unsigned int)create_options, (unsigned int)create_options,
(unsigned int)root_dir_fid )); (unsigned int)root_dir_fid ));
init_smb_request(&req, (uint8 *)inbuf);
/* /*
* If it's an IPC, use the pipe handler. * If it's an IPC, use the pipe handler.
*/ */
@ -562,7 +580,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
if(!dir_fsp->is_directory) { if(!dir_fsp->is_directory) {
srvstr_get_path(inbuf, SVAL(inbuf,smb_flg2), fname, srvstr_get_path(inbuf, req.flags2, fname,
smb_buf(inbuf), sizeof(fname), 0, smb_buf(inbuf), sizeof(fname), 0,
STR_TERMINATE, &status); STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
@ -606,7 +624,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
dir_name_len++; dir_name_len++;
} }
srvstr_get_path(inbuf, SVAL(inbuf,smb_flg2), rel_fname, srvstr_get_path(inbuf, req.flags2, rel_fname,
smb_buf(inbuf), sizeof(rel_fname), 0, smb_buf(inbuf), sizeof(rel_fname), 0,
STR_TERMINATE, &status); STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
@ -615,7 +633,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
} }
pstrcat(fname, rel_fname); pstrcat(fname, rel_fname);
} else { } else {
srvstr_get_path(inbuf, SVAL(inbuf,smb_flg2), fname, srvstr_get_path(inbuf, req.flags2, fname,
smb_buf(inbuf), sizeof(fname), 0, smb_buf(inbuf), sizeof(fname), 0,
STR_TERMINATE, &status); STR_TERMINATE, &status);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
@ -654,7 +672,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
* Now contruct the smb_open_mode value from the filename, * Now contruct the smb_open_mode value from the filename,
* desired access and the share access. * desired access and the share access.
*/ */
status = resolve_dfspath(conn, SVAL(inbuf,smb_flg2) & FLAGS2_DFS_PATHNAMES, fname); status = resolve_dfspath(conn, req.flags2 & FLAGS2_DFS_PATHNAMES, fname);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
END_PROFILE(SMBntcreateX); END_PROFILE(SMBntcreateX);
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@ -842,7 +860,7 @@ int reply_ntcreate_and_X(connection_struct *conn,
} else { } else {
TALLOC_FREE(case_state); TALLOC_FREE(case_state);
END_PROFILE(SMBntcreateX); END_PROFILE(SMBntcreateX);
if (open_was_deferred(SVAL(inbuf,smb_mid))) { if (open_was_deferred(req.mid)) {
/* We have re-scheduled this call. */ /* We have re-scheduled this call. */
return -1; return -1;
} }
@ -866,10 +884,6 @@ int reply_ntcreate_and_X(connection_struct *conn,
/* Save the requested allocation size. */ /* Save the requested allocation size. */
if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) { if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
SMB_BIG_UINT allocation_size = (SMB_BIG_UINT)IVAL(inbuf,smb_ntcreate_AllocationSize);
#ifdef LARGE_SMB_OFF_T
allocation_size |= (((SMB_BIG_UINT)IVAL(inbuf,smb_ntcreate_AllocationSize + 4)) << 32);
#endif
if (allocation_size && (allocation_size > (SMB_BIG_UINT)file_len)) { if (allocation_size && (allocation_size > (SMB_BIG_UINT)file_len)) {
fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size); fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
if (fsp->is_directory) { if (fsp->is_directory) {