From 183eea4909d6678ac382eac16a5873a1fa3fd065 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Nov 2007 13:12:51 -0800 Subject: [PATCH] Fix smbfs to not trigger our paranoid checker. Jeremy. --- source/smbd/negprot.c | 2 +- source/smbd/reply.c | 8 ++++---- source/smbd/srvstr.c | 13 +++---------- source/smbd/trans2.c | 40 ++++++++++++++++++++-------------------- 4 files changed, 28 insertions(+), 35 deletions(-) diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c index bc7c75aab4c..a84def069ee 100644 --- a/source/smbd/negprot.c +++ b/source/smbd/negprot.c @@ -346,7 +346,7 @@ static int reply_nt1(char *inbuf, char *outbuf) SCVAL(outbuf,smb_vwv16+1,8); p += 8; } - p += srvstr_push(outbuf, p, lp_workgroup(), -1, + p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), STR_UNICODE|STR_TERMINATE|STR_NOALIGN); DEBUG(3,("not using SPNEGO\n")); } else { diff --git a/source/smbd/reply.c b/source/smbd/reply.c index 55f62a26f7c..54bf88844d3 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -524,7 +524,7 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt if (Protocol < PROTOCOL_NT1) { set_message(outbuf,2,0,True); p = smb_buf(outbuf); - p += srvstr_push(outbuf, p, server_devicetype, -1, + p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), STR_TERMINATE|STR_ASCII); set_message_end(outbuf,p); } else { @@ -554,9 +554,9 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt } p = smb_buf(outbuf); - p += srvstr_push(outbuf, p, server_devicetype, -1, + p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), STR_TERMINATE|STR_ASCII); - p += srvstr_push(outbuf, p, fstype, -1, + p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf), STR_TERMINATE); set_message_end(outbuf,p); @@ -1766,7 +1766,7 @@ int reply_ctemp(connection_struct *conn, char *inbuf,char *outbuf, int dum_size, thing in the byte section. JRA */ SSVALS(p, 0, -1); /* what is this? not in spec */ #endif - namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE); + namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE); p += namelen; outsize = set_message_end(outbuf, p); diff --git a/source/smbd/srvstr.c b/source/smbd/srvstr.c index 409fd30a679..7dc2567c153 100644 --- a/source/smbd/srvstr.c +++ b/source/smbd/srvstr.c @@ -28,17 +28,10 @@ size_t srvstr_push_fn(const char *function, unsigned int line, const char *base_ptr, void *dest, const char *src, int dest_len, int flags) { - size_t buf_used = PTR_DIFF(dest, base_ptr); - if (dest_len == -1) { - if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) { -#if 0 - DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n")); -#endif - return push_string_fn(function, line, base_ptr, dest, src, -1, flags); - } - return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags); + if (dest_len < 0) { + return 0; } - + /* 'normal' push into size-specified buffer */ return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags); } diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index b2ce5b8c26d..4b6234395c6 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -1283,7 +1283,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, p += 23; nameptr = p; p += align_string(outbuf, p, 0); - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { if (len > 2) { SCVAL(nameptr, -1, len - 2); @@ -1318,7 +1318,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, } p += 27; nameptr = p - 1; - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { if (len > 2) { len -= 2; @@ -1372,9 +1372,9 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, } /* Push the ea_data followed by the name. */ - p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list); + p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list); nameptr = p; - len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN); + len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { if (len > 2) { len -= 2; @@ -1431,7 +1431,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, memset(p,'\0',26); } p += 2 + 24; - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(q,0,len); p += len; SIVAL(p,0,0); /* Ensure any padding is null. */ @@ -1452,7 +1452,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, SOFF_T(p,0,file_size); p += 8; SOFF_T(p,0,allocation_size); p += 8; SIVAL(p,0,nt_extmode); p += 4; - len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(p,0,len); p += 4 + len; SIVAL(p,0,0); /* Ensure any padding is null. */ @@ -1479,7 +1479,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, SIVAL(p,0,ea_size); /* Extended attributes */ p +=4; } - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(q, 0, len); p += len; @@ -1497,7 +1497,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, p += 4; /* this must *not* be null terminated or w2k gets in a loop trying to set an acl on a dir (tridge) */ - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(p, -4, len); p += len; SIVAL(p,0,0); /* Ensure any padding is null. */ @@ -1527,7 +1527,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */ SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(q, 0, len); p += len; SIVAL(p,0,0); /* Ensure any padding is null. */ @@ -1578,7 +1578,7 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, SSVAL(p,0,0); p += 2; /* Reserved ? */ SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); SIVAL(q,0,len); p += len; SIVAL(p,0,0); /* Ensure any padding is null. */ @@ -1601,14 +1601,14 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX\n")); p = store_file_unix_basic(conn, p, NULL, &sbuf); - len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); } else { DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX_INFO2\n")); p = store_file_unix_basic_info2(conn, p, NULL, &sbuf); nameptr = p; p += 4; - len = srvstr_push(outbuf, p, fname, -1, 0); + len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), 0); SIVAL(nameptr, 0, len); } @@ -2309,7 +2309,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)st.st_dev, (unsi * this call so try fixing this by adding a terminating null to * the pushed string. The change here was adding the STR_TERMINATE. JRA. */ - len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE); + len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE); SCVAL(pdata,l2_vol_cch,len); data_len = l2_vol_szVolLabel + len; DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n", @@ -2331,14 +2331,14 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)st.st_dev, (unsi SIVAL(pdata,4,255); /* Max filename component length */ /* NOTE! the fstype must *not* be null terminated or win98 won't recognise it and will think we can't do long filenames */ - len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE); + len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE); SIVAL(pdata,8,len); data_len = 12 + len; break; case SMB_QUERY_FS_LABEL_INFO: case SMB_FS_LABEL_INFORMATION: - len = srvstr_push(outbuf, pdata+4, vname, -1, 0); + len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0); data_len = 4 + len; SIVAL(pdata,0,len); break; @@ -2354,7 +2354,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)st.st_dev, (unsi (str_checksum(get_local_machine_name())<<16)); /* Max label len is 32 characters. */ - len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE); + len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE); SIVAL(pdata,12,len); data_len = 18+len; @@ -3589,7 +3589,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd if(!mangle_is_8_3(short_name, True, conn->params)) { mangle_map(short_name,True,True,conn->params); } - len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE); + len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE); data_size = 4 + len; SIVAL(pdata,0,len); break; @@ -3599,7 +3599,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd /* this must be *exactly* right for ACLs on mapped drives to work */ - len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); + len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE); DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n")); data_size = 4 + len; SIVAL(pdata,0,len); @@ -3640,7 +3640,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd pdata += 24; SIVAL(pdata,0,ea_size); pdata += 4; /* EA info */ - len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); + len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE); SIVAL(pdata,0,len); pdata += 4 + len; data_size = PTR_DIFF(pdata,(*ppdata)); @@ -3802,7 +3802,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd if (len == -1) return(UNIXERROR(ERRDOS,ERRnoaccess)); buffer[len] = 0; - len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE); + len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE); pdata += len; data_size = PTR_DIFF(pdata,(*ppdata)); -- 2.34.1