s3:smbd: Fix converity warning with _smb_setlen_large()

result_independent_of_operands: "(outsize - 4 & 0xffffff) >> 16 >> 8" is
0 regardless of the values of its operands. This occurs as the bitwise
first operand of "&".

So we should just pass a variable to silence the warning. However for
this, we should calculate it correctly and use size_t for it.

Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index abf8858099b414f40c717a211014b4d4528ad980..b984036e9f8e31a8eb6ca4c23e4e70a9f342b280 100644 (file)
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -239,7 +239,7 @@ static void aio_pread_smb1_done(struct tevent_req *req)
        struct aio_extra *aio_ex = tevent_req_callback_data(
                req, struct aio_extra);
        files_struct *fsp = aio_ex->fsp;
-       int outsize;
+       size_t outsize;
        char *outbuf = (char *)aio_ex->outbuf.data;
        ssize_t nread;
        struct vfs_aio_state vfs_aio_state;
@@ -276,7 +276,15 @@ static void aio_pread_smb1_done(struct tevent_req *req)
                           (int)aio_ex->nbyte, (int)nread ) );
 
        }
-       _smb_setlen_large(outbuf, outsize - 4);
+
+       if (outsize <= 4) {
+               DBG_INFO("Invalid outsize (%zu)\n", outsize);
+               TALLOC_FREE(aio_ex);
+               return;
+       }
+       outsize -= 4;
+       _smb_setlen_large(outbuf, outsize);
+
        show_msg(outbuf);
        if (!srv_send_smb(aio_ex->smbreq->xconn, outbuf,
                          true, aio_ex->smbreq->seqnum+1,

diff --git a/source3/smbd/error.c b/source3/smbd/error.c
index c91f5b0daf4e3ea69f00de115387b99f6370d81d..3f9ecaa2c5cc818b254e9e68f80f7c11a44062f6 100644 (file)
--- a/source3/smbd/error.c
+++ b/source3/smbd/error.c
@@ -105,9 +105,9 @@ void error_packet_set(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS nts
        }
 }
 
-int error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file)
+size_t error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file)
 {
-       int outsize = srv_set_message(outbuf,0,0,True);
+       size_t outsize = srv_set_message(outbuf,0,0,True);
        error_packet_set(outbuf, eclass, ecode, ntstatus, line, file);
        return outsize;
 }

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 6a3395ceabf503e842e242f042e2195cf8ba54d1..936b5351de7cf6b917677c8d618cca9085355841 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -274,10 +274,10 @@ out:
  Setup the word count and byte count for a smb message.
 ********************************************************************/
 
-int srv_set_message(char *buf,
-                        int num_words,
-                        int num_bytes,
-                        bool zero)
+size_t srv_set_message(char *buf,
+                      size_t num_words,
+                      size_t num_bytes,
+                      bool zero)
 {
        if (zero && (num_words || num_bytes)) {
                memset(buf + smb_size,'\0',num_words*2 + num_bytes);

diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 778561c241c9f20a0aea7c93b1c1376e1863c7cf..bee7acadeeafb757724907bbf9af24a345422146 100644 (file)
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -293,7 +293,12 @@ struct timespec get_change_timespec(connection_struct *conn,
 
 bool use_nt_status(void);
 void error_packet_set(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file);
-int error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file);
+size_t error_packet(char *outbuf,
+                   uint8_t eclass,
+                   uint32_t ecode,
+                   NTSTATUS ntstatus,
+                   int line,
+                   const char *file);
 void reply_nt_error(struct smb_request *req, NTSTATUS ntstatus,
                    int line, const char *file);
 void reply_force_dos_error(struct smb_request *req, uint8_t eclass, uint32_t ecode,
@@ -825,10 +830,10 @@ bool srv_send_smb(struct smbXsrv_connection *xconn, char *buffer,
                  bool no_signing, uint32_t seqnum,
                  bool do_encrypt,
                  struct smb_perfcount_data *pcd);
-int srv_set_message(char *buf,
-                        int num_words,
-                        int num_bytes,
-                        bool zero);
+size_t srv_set_message(char *buf,
+                      size_t num_words,
+                      size_t num_bytes,
+                      bool zero);
 void remove_deferred_open_message_smb(struct smbXsrv_connection *xconn,
                                      uint64_t mid);
 bool schedule_deferred_open_message_smb(struct smbXsrv_connection *xconn,
@@ -955,7 +960,7 @@ ssize_t sendfile_short_send(struct smbXsrv_connection *xconn,
                            size_t smb_maxcnt);
 void reply_readbraw(struct smb_request *req);
 void reply_lockread(struct smb_request *req);
-int setup_readX_header(char *outbuf, size_t smb_maxcnt);
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt);
 void reply_read(struct smb_request *req);
 void reply_read_and_X(struct smb_request *req);
 void error_to_writebrawerr(struct smb_request *req);

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 92a65f5b90b850d82925442632cb7f4724df228d..fc56e3234be6b3916c50f6cb3451197edf03139d 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3926,9 +3926,9 @@ out:
  Setup readX header.
 ****************************************************************************/
 
-int setup_readX_header(char *outbuf, size_t smb_maxcnt)
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt)
 {
-       int outsize;
+       size_t outsize;
 
        outsize = srv_set_message(outbuf,12,smb_maxcnt + 1 /* padding byte */,
                                  False);