Changeset 590 for trunk/server/source3/smbd/reply.c

Timestamp:

Jul 1, 2011, 8:40:10 AM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Samba 3.5: Update trunk to 3.5.6

File:

• trunk/server/source3/smbd/reply.c (modified) (6 diffs)

trunk/server/source3/smbd/reply.c ¶

@@ -496 +496 @@
 ****************************************************************************/
 
-void reply_special(char *inbuf)
+void reply_special(char *inbuf, size_t inbuf_size)
 {
         int msg_type = CVAL(inbuf,0);
         int msg_flags = CVAL(inbuf,1);
-        fstring name1,name2;
-        char name_type1, name_type2;
         struct smbd_server_connection *sconn = smbd_server_conn;
-
         /*
          * We only really use 4 bytes of the outbuf, but for the smb_setlen
@@ -511 +508 @@
         char outbuf[smb_size];
 
-        *name1 = *name2 = 0;
-
         memset(outbuf, '\0', sizeof(outbuf));
 
@@ -519 +514 @@
         switch (msg_type) {
         case 0x81: /* session request */
+        {
+                /* inbuf_size is guarenteed to be at least 4. */
+                fstring name1,name2;
+                int name_type1, name_type2;
+                int name_len1, name_len2;
+
+                *name1 = *name2 = 0;
 
                 if (sconn->nbt.got_session) {
@@ -526 +528 @@
                 SCVAL(outbuf,0,0x82);
                 SCVAL(outbuf,3,0);
-                if (name_len(inbuf+4) > 50 || 
-                    name_len(inbuf+4 + name_len(inbuf + 4)) > 50) {
+
+                /* inbuf_size is guaranteed to be at least 4. */
+                name_len1 = name_len((unsigned char *)(inbuf+4),inbuf_size - 4);
+                if (name_len1 <= 0 || name_len1 > inbuf_size - 4) {
                         DEBUG(0,("Invalid name length in session request\n"));
                         return;
                 }
-                name_type1 = name_extract(inbuf,4,name1);
-                name_type2 = name_extract(inbuf,4 + name_len(inbuf + 4),name2);
+                name_len2 = name_len((unsigned char *)(inbuf+4+name_len1),inbuf_size - 4 - name_len1);
+                if (name_len2 <= 0 || name_len2 > inbuf_size - 4 - name_len1) {
+                        DEBUG(0,("Invalid name length in session request\n"));
+                        return;
+                }
+
+                name_type1 = name_extract((unsigned char *)inbuf,
+                                inbuf_size,(unsigned int)4,name1);
+                name_type2 = name_extract((unsigned char *)inbuf,
+                                inbuf_size,(unsigned int)(4 + name_len1),name2);
+
+                if (name_type1 == -1 || name_type2 == -1) {
+                        DEBUG(0,("Invalid name type in session request\n"));
+                        return;
+                }
+
                 DEBUG(2,("netbios connect: name1=%s0x%x name2=%s0x%x\n",
                          name1, name_type1, name2, name_type2));
@@ -566 +584 @@
                 sconn->nbt.got_session = true;
                 break;
+        }
 
         case 0x89: /* session keepalive request 
@@ -5854 +5873 @@
                           smb_fname_str_dbg(smb_fname_dst)));
 
-                if (lp_map_archive(SNUM(conn)) ||
-                    lp_store_dos_attributes(SNUM(conn))) {
+                if (!lp_posix_pathnames() &&
+                    (lp_map_archive(SNUM(conn)) ||
+                    lp_store_dos_attributes(SNUM(conn)))) {
                         /* We must set the archive bit on the newly
                            renamed file. */