git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d3b60d0)
s3:smb2_write: allow SMBD_SMB2_IN_DYN_LEN() to be 0 for the recvfile case.
authorStefan Metzmacher <metze@samba.org>
Mon, 18 Nov 2013 12:45:37 +0000 (13:45 +0100)
committerStefan Metzmacher <metze@samba.org>
Wed, 12 Mar 2014 23:04:39 +0000 (00:04 +0100)
For recvfile we haven't read and may not allocated the dyn buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
source3/smbd/smb2_write.c patch | blob | history

diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c
index 479a0efe278556b8858ea9a046ccbe152dd7838b..8e67c7ee6b41d22f7b5d4cac3ec2cce585acc0cb 100644 (file)
--- a/source3/smbd/smb2_write.c
+++ b/source3/smbd/smb2_write.c
@@ -48,6 +48,8 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req)
        uint64_t in_file_id_volatile;
        struct files_struct *in_fsp;
        uint32_t in_flags;
+       size_t in_dyn_len = 0;
+       uint8_t *in_dyn_ptr = NULL;
        struct tevent_req *subreq;
 
        status = smbd_smb2_request_verify_sizes(req, 0x31);
@@ -67,7 +69,15 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req)
                return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
        }
 
-       if (in_data_length > SMBD_SMB2_IN_DYN_LEN(req)) {
+       if (req->smb1req != NULL && req->smb1req->unread_bytes > 0) {
+               in_dyn_ptr = NULL;
+               in_dyn_len = req->smb1req->unread_bytes;
+       } else {
+               in_dyn_ptr = SMBD_SMB2_IN_DYN_PTR(req);
+               in_dyn_len = SMBD_SMB2_IN_DYN_LEN(req);
+       }
+
+       if (in_data_length > in_dyn_len) {
                return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
        }
 
@@ -79,7 +89,10 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req)
                return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
        }
 
-       in_data_buffer.data = SMBD_SMB2_IN_DYN_PTR(req);
+       /*
+        * Note: that in_dyn_ptr is NULL for the recvfile case.
+        */
+       in_data_buffer.data = in_dyn_ptr;
        in_data_buffer.length = in_data_length;
 
        status = smbd_smb2_request_verify_creditcharge(req, in_data_length);
@@ -348,6 +361,9 @@ static struct tevent_req *smbd_smb2_write_send(TALLOC_CTX *mem_ctx,
                return tevent_req_post(req, ev);
        }
 
+       /*
+        * Note: in_data.data is NULL for the recvfile case.
+        */
        nwritten = write_file(smbreq, fsp,
                              (const char *)in_data.data,
                              in_offset,
Work in progress branches