mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
check that a valid pipe is passed before doing a pipe close.
I made this change after getting a segv in reply_pipe_close(). The funny thing was that pipes_open was 1 and Pipes was NULL. That "can't happen" and suggests that we have a wild pointer somewhere. I suspect the rpc code, as I was playing with long share names (a share called "averylongusername") at the time and the logs show lots of srvsvc operations. I bet there is a buffer in the rpc code somewhere that is overflowing and trashing bits of the data segment.
This commit is contained in:
parent
3d9ec96de5
commit
9fee8c2eb7
@ -121,6 +121,8 @@ int reply_pipe_read_and_X(char *inbuf,char *outbuf,int length,int bufsize)
|
||||
char *data;
|
||||
BOOL ok = False;
|
||||
|
||||
if (!p) return(ERROR(ERRDOS,ERRbadfid));
|
||||
|
||||
set_message(outbuf,12,0,True);
|
||||
data = smb_buf(outbuf);
|
||||
|
||||
@ -148,6 +150,8 @@ int reply_pipe_close(connection_struct *conn, char *inbuf,char *outbuf)
|
||||
pipes_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0);
|
||||
int outsize = set_message(outbuf,0,0,True);
|
||||
|
||||
if (!p) return(ERROR(ERRDOS,ERRbadfid));
|
||||
|
||||
DEBUG(5,("reply_pipe_close: pnum:%x\n", p->pnum));
|
||||
|
||||
if (!close_rpc_pipe_hnd(p, conn)) return(ERROR(ERRDOS,ERRbadfid));
|
||||
|
Loading…
Reference in New Issue
Block a user