1 From f781c9c693462b89b60a3662d2a1224c9387a725 Mon Sep 17 00:00:00 2001
2 From: Volker Lendecke <vl@samba.org>
3 Date: Fri, 10 Feb 2012 08:10:39 +0100
4 Subject: [PATCH 1/2] v3-3: AndX offsets are increasing strictly monotonically
7 source/smbd/process.c | 10 +++++++++-
8 1 files changed, 9 insertions(+), 1 deletions(-)
10 diff --git source/smbd/process.c source/smbd/process.c
11 index e861e16..f64e1ce 100644
12 --- source/smbd/process.c
13 +++ source/smbd/process.c
14 @@ -1160,7 +1160,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
15 static char *orig_inbuf;
16 static char *orig_outbuf;
17 int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
18 - unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
19 + static unsigned smb_off2;
20 char *inbuf2, *outbuf2;
23 @@ -1178,8 +1178,16 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
24 /* this is the first part of the chain */
30 + if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
31 + DEBUG(1, ("AndX offset not increasing\n"));
32 + SCVAL(outbuf, smb_vwv0, 0xFF);
35 + smb_off2 = SVAL(inbuf, smb_vwv1);
38 * The original Win95 redirector dies on a reply to
39 * a lockingX and read chain unless the chain reply is
44 From 009bb0be7383777a650a3bc6af1c0d3ab7476ebc Mon Sep 17 00:00:00 2001
45 From: Volker Lendecke <vl@samba.org>
46 Date: Fri, 10 Feb 2012 08:39:33 +0100
47 Subject: [PATCH 2/2] v3-0-test: Port back some packet consistency checks
50 source/smbd/process.c | 18 ++++++++++++++++++
51 1 files changed, 18 insertions(+), 0 deletions(-)
53 diff --git source/smbd/process.c source/smbd/process.c
54 index f64e1ce..8aabef8 100644
55 --- source/smbd/process.c
56 +++ source/smbd/process.c
57 @@ -1025,6 +1025,7 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
59 int msg_type = CVAL(inbuf,0);
60 uint16_t mid = SVAL(inbuf, smb_mid);
61 + uint8_t wct = CVAL(inbuf, smb_wct);
65 @@ -1033,6 +1034,23 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
67 return(reply_special(inbuf,outbuf));
69 + /* Ensure we have at least wct words and 2 bytes of bcc. */
70 + if (smb_size + wct*2 > size) {
71 + DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
73 + (unsigned int)size));
74 + exit_server_cleanly("Invalid SMB request");
76 + /* Ensure bcc is correct. */
77 + if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + size) {
78 + DEBUG(0,("init_smb_request: invalid bcc number %u "
79 + "(wct = %u, size %u)\n",
80 + (unsigned int)smb_buflen(inbuf),
82 + (unsigned int)size));
83 + exit_server_cleanly("Invalid SMB request");
86 construct_reply_common(inbuf, outbuf);
88 outsize = switch_message(type,inbuf,outbuf,size,bufsize);