sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-09 08:58:35 +03:00
Code

smb_server/smb: fix crash bug with fragmented trans calls

Browse Source 
We need to use smbsrv_setup_secondary_request(req) to send the
trans ack, because smbsrv_send_reply(req) destroys 'req'
and the partial trans list had dead elements in the list.

Also make sure the partial list element is removed by a talloc
destructor.

metze
(This used to be commit 221f4d6e534a40b7def6e51dc6b4f9e8057d18b7)
This commit is contained in:
Stefan Metzmacher 2008-07-07 12:56:26 +02:00
parent b6327116dd
commit 88a26f6e7f
1 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
source4/smb_server/smb/trans2.c
View File

@ -1036,6 +1036,12 @@ static NTSTATUS trans2_backend(struct smbsrv_request *req, struct trans_op *op)
return NT_STATUS_FOOBAR;
}
static int smbsrv_trans_partial_destructor(struct smbsrv_trans_partial *tp)
{
DLIST_REMOVE(tp->req->smb_conn->trans_partial, tp);
return 0;
}
/*
send a continue request
@ -1043,6 +1049,7 @@ static NTSTATUS trans2_backend(struct smbsrv_request *req, struct trans_op *op)
static void reply_trans_continue(struct smbsrv_request *req, uint8_t command,
struct smb_trans2 *trans)
{
struct smbsrv_request *req2;
struct smbsrv_trans_partial *tp;
int count;
@ -1055,15 +1062,18 @@ static void reply_trans_continue(struct smbsrv_request *req, uint8_t command,
tp = talloc(req, struct smbsrv_trans_partial);
tp->req = talloc_reference(tp, req);
tp->req = req;
tp->trans = trans;
tp->command = command;
DLIST_ADD(req->smb_conn->trans_partial, tp);
talloc_set_destructor(tp, smbsrv_trans_partial_destructor);
req2 = smbsrv_setup_secondary_request(req);
/* send a 'please continue' reply */
smbsrv_setup_reply(req, 0, 0);
smbsrv_send_reply(req);
smbsrv_setup_reply(req2, 0, 0);
smbsrv_send_reply(req2);
}
@ -1334,7 +1344,8 @@ static void reply_transs_generic(struct smbsrv_request *req, uint8_t command)
uint8_t,
param_disp + param_count);
if (trans->in.params.data == NULL) {
goto failed;
smbsrv_send_error(tp->req, NT_STATUS_NO_MEMORY);
return;
}
trans->in.params.length = param_disp + param_count;
}
@ -1345,7 +1356,8 @@ static void reply_transs_generic(struct smbsrv_request *req, uint8_t command)
uint8_t,
data_disp + data_count);
if (trans->in.data.data == NULL) {
goto failed;
smbsrv_send_error(tp->req, NT_STATUS_NO_MEMORY);
return;
}
trans->in.data.length = data_disp + data_count;
}
@ -1363,16 +1375,11 @@ static void reply_transs_generic(struct smbsrv_request *req, uint8_t command)
if (trans->in.params.length == param_total &&
trans->in.data.length == data_total) {
/* its now complete */
DLIST_REMOVE(tp->req->smb_conn->trans_partial, tp);
reply_trans_complete(tp->req, command, trans);
req = tp->req;
talloc_free(tp);
reply_trans_complete(req, command, trans);
}
return;
failed:
smbsrv_send_error(tp->req, NT_STATUS_NO_MEMORY);
DLIST_REMOVE(req->smb_conn->trans_partial, tp);
talloc_free(req);
talloc_free(tp);
}