sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code

check that a valid pipe is passed before doing a pipe close.

Browse Source 
I made this change after getting a segv in reply_pipe_close(). The
funny thing was that pipes_open was 1 and Pipes was NULL. That "can't
happen" and suggests that we have a wild pointer somewhere.

I suspect the rpc code, as I was playing with long share names (a
share called "averylongusername") at the time and the logs show lots
of srvsvc operations. I bet there is a buffer in the rpc code
somewhere that is overflowing and trashing bits of the data segment.
This commit is contained in:
Andrew Tridgell 0001-01-01 00:00:00 +00:00
parent 3d9ec96de5
commit 9fee8c2eb7
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
source/smbd/pipes.c
View File

@ -121,6 +121,8 @@ int reply_pipe_read_and_X(char *inbuf,char *outbuf,int length,int bufsize)
char *data; char *data;
BOOL ok = False; BOOL ok = False;
if (!p) return(ERROR(ERRDOS,ERRbadfid));
set_message(outbuf,12,0,True); set_message(outbuf,12,0,True);
data = smb_buf(outbuf); data = smb_buf(outbuf);
@ -148,6 +150,8 @@ int reply_pipe_close(connection_struct *conn, char *inbuf,char *outbuf)
pipes_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0); pipes_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0);
int outsize = set_message(outbuf,0,0,True); int outsize = set_message(outbuf,0,0,True);
if (!p) return(ERROR(ERRDOS,ERRbadfid));
DEBUG(5,("reply_pipe_close: pnum:%x\n", p->pnum)); DEBUG(5,("reply_pipe_close: pnum:%x\n", p->pnum));
if (!close_rpc_pipe_hnd(p, conn)) return(ERROR(ERRDOS,ERRbadfid)); if (!close_rpc_pipe_hnd(p, conn)) return(ERROR(ERRDOS,ERRbadfid));