The branch, master has been updated
via df800ea Add test suite for iconv conversion fail of bad names over
SMB1/SMB3.
via 6d03aed s3: smbd: Fix a couple of tricky slow-path cases - don't
return a mangled name for a name that cannot be converted.
via 2fc8d0e s3: smbd: Change get_lanman2_dir_entry() to return the full
NTSTATUS.
via c9877ea s3: smbd: Remove unneeded 'out_of_space' parameter from
smbd_dirptr_lanman2_entry().
via 5293dd2 s3: smbd: SMB2 - change smbd_dirptr_lanman2_entry() to
return an NTSTATUS.
via d17fc79 s3: smbd: smbd_marshall_dir_entry() no longer needs
explicit 'out_of_space' parameter.
via 2bddcee s3: smbd: Change smbd_marshall_dir_entry() to return an
NTSTATUS. Returns STATUS_MORE_ENTRIES on out of space.
via 0519088 s3: smbd: Change the function signature of srvstr_push()
from returning a length to returning an NTSTATUS with a length param.
via c7b89bb s3: smbd: Ensure types for all variables called 'len' used
in srvstr_push() are correct.
via 5c7e272 s3: smbd: srvstr_push() was changed to never return -1, so
don't check for that as an error.
via 6bce3d8 s3: utils: Don't directly manipulate errno inside
strupper_m().
from c56a88d vfs_gpfs: Fix the build with profiling-data
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit df800ea6fb307abae785d3a5da60f4db70e9bc68
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 27 13:15:29 2014 -0700
Add test suite for iconv conversion fail of bad names over SMB1/SMB3.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
Autobuild-User(master): David Disseldorp <[email protected]>
Autobuild-Date(master): Tue Sep 16 04:21:49 CEST 2014 on sn-devel-104
commit 6d03aed15e1be4c126c2de4708d0b1cd112ba901
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 16:39:56 2014 -0700
s3: smbd: Fix a couple of tricky slow-path cases - don't return a mangled
name for a name that cannot be converted.
For a name that contains an illegal Windows character, the
directory listing code returns the mangled 8.3 name as the
primary name for the file.
If the original (non-mangled) filename cannot be converted
to UCS2 on the wire via iconv due to conversion error, we
should skip that name when returning a directory listing,
as we can't map back from a returned 8.3 name to a usable
non-mangled filename if the client sends it back to us.
As this is only done in a very slow path (name must be mangled)
or in the old DOS protocol listing code I don't feel too bad
about using a talloc/free pair here.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 2fc8d0e0e85cd118f114f234a7eac3902d01c32e
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 15:05:24 2014 -0700
s3: smbd: Change get_lanman2_dir_entry() to return the full NTSTATUS.
Handle the errors correctly at the level above inside the SMB1 server.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit c9877eaf1b0ee83e4227483cb6891f94712bd32f
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 14:54:56 2014 -0700
s3: smbd: Remove unneeded 'out_of_space' parameter from
smbd_dirptr_lanman2_entry().
This can now be handled by checking for the STATUS_MORE_ENTRIES error
return.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 5293dd2f635f049cd0632b071307df6a6c52d9b0
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 14:49:37 2014 -0700
s3: smbd: SMB2 - change smbd_dirptr_lanman2_entry() to return an NTSTATUS.
Handle the errors correctly at the top level inside the SMB2 server.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit d17fc79ee6c80702fe5ce007bdbc68b3d21bc8a0
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 11:40:19 2014 -0700
s3: smbd: smbd_marshall_dir_entry() no longer needs explicit 'out_of_space'
parameter.
Handle this in the caller when it returns STATUS_MORE_ENTRIES.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 2bddcee5cb1a08228974c8d42aee0f26876d7503
Author: Jeremy Allison <[email protected]>
Date: Tue Aug 26 11:36:41 2014 -0700
s3: smbd: Change smbd_marshall_dir_entry() to return an NTSTATUS. Returns
STATUS_MORE_ENTRIES on out of space.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 0519088c53b201b7ca1f144f3f2da052c612c0e7
Author: Jeremy Allison <[email protected]>
Date: Mon Aug 25 17:11:58 2014 -0700
s3: smbd: Change the function signature of srvstr_push() from returning a
length to returning an NTSTATUS with a length param.
srvstr_push_fn() now returns an NTSTATUS reporting any
string conversion failure.
We need to get serious about returning character set conversion errors
inside smbd.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit c7b89bb9e5531be378c1b71fa7165f3ce74c83bb
Author: Jeremy Allison <[email protected]>
Date: Mon Aug 25 17:05:47 2014 -0700
s3: smbd: Ensure types for all variables called 'len' used in srvstr_push()
are correct.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 5c7e272190a3aeaab40c6810826043f66a9c792b
Author: Jeremy Allison <[email protected]>
Date: Mon Aug 25 16:21:24 2014 -0700
s3: smbd: srvstr_push() was changed to never return -1, so don't check for
that as an error.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 6bce3d81e146bc6adeb7cff124a78f818aa6fbe0
Author: Jeremy Allison <[email protected]>
Date: Fri Sep 12 08:46:06 2014 -0700
s3: utils: Don't directly manipulate errno inside strupper_m().
Let the internal character conversion routines set it.
Caller code paths don't depend on this (checked by
David Disseldorp [email protected]).
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/util/samba_util.h | 1 +
lib/util/string_wrappers.h | 8 +-
selftest/target/Samba3.pm | 37 ++++
source3/include/safe_string.h | 1 +
source3/lib/util_str.c | 6 +-
source3/modules/vfs_default.c | 10 +-
source3/script/tests/test_smbclient_s3.sh | 144 ++++++++++++++
source3/smbd/dir.c | 24 +++
source3/smbd/globals.h | 3 +-
source3/smbd/lanman.c | 9 +-
source3/smbd/proto.h | 4 +-
source3/smbd/reply.c | 30 +++-
source3/smbd/smb2_find.c | 17 +-
source3/smbd/srvstr.c | 57 +++++-
source3/smbd/trans2.c | 306 ++++++++++++++++++++---------
15 files changed, 521 insertions(+), 136 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index f1f4c2d..528d373 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -63,6 +63,7 @@ do { \
#include "lib/util/memory.h"
+#include "../libcli/util/ntstatus.h"
#include "lib/util/string_wrappers.h"
/**
diff --git a/lib/util/string_wrappers.h b/lib/util/string_wrappers.h
index fcc088c..1feea8c 100644
--- a/lib/util/string_wrappers.h
+++ b/lib/util/string_wrappers.h
@@ -57,6 +57,8 @@ char * __unsafe_string_function_usage_here__(void);
size_t __unsafe_string_function_usage_here_size_t__(void);
+NTSTATUS __unsafe_string_function_usage_here_NTSTATUS__(void);
+
#define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) && sizeof(d) !=
sizeof(char *))
/* if the compiler will optimize out function calls, then use this to tell if
we are
@@ -68,10 +70,10 @@ size_t __unsafe_string_function_usage_here_size_t__(void);
? __unsafe_string_function_usage_here_size_t__() \
: push_string_check_fn(dest, src, dest_len, flags))
-#define srvstr_push(base_ptr, smb_flags2, dest, src, dest_len, flags) \
+#define srvstr_push(base_ptr, smb_flags2, dest, src, dest_len, flags, ret_len)
\
(CHECK_STRING_SIZE(dest, dest_len) \
- ? __unsafe_string_function_usage_here_size_t__() \
- : srvstr_push_fn(base_ptr, smb_flags2, dest, src, dest_len, flags))
+ ? __unsafe_string_function_usage_here_NTSTATUS__() \
+ : srvstr_push_fn(base_ptr, smb_flags2, dest, src, dest_len, flags,
ret_len))
/* This allows the developer to choose to check the arguments to
strlcpy. if the compiler will optimize out function calls, then
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 5544105..de40ced 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -873,6 +873,9 @@ sub provision($$$$$$)
my $msdfs_deeppath="$msdfs_shrdir/deeppath";
push(@dirs,$msdfs_deeppath);
+ my $badnames_shrdir="$shrdir/badnames";
+ push(@dirs,$badnames_shrdir);
+
# this gets autocreated by winbindd
my $wbsockdir="$prefix_abs/winbindd";
my $wbsockprivdir="$lockdir/winbindd_privileged";
@@ -925,6 +928,36 @@ sub provision($$$$$$)
symlink "msdfs:$server_ip\\ro-tmp", "$msdfs_shrdir/msdfs-src1";
symlink "msdfs:$server_ipv6\\ro-tmp",
"$msdfs_shrdir/deeppath/msdfs-src2";
+ ##
+ ## create bad names in $badnames_shrdir
+ ##
+ ## (An invalid name, would be mangled to 8.3).
+ my $badname_target = "$badnames_shrdir/\340|\231\216\377\177";
+ unless (open(BADNAME_TARGET, ">$badname_target")) {
+ warn("Unable to open $badname_target");
+ return undef;
+ }
+ close(BADNAME_TARGET);
+ chmod 0666, $badname_target;
+
+ ## (A bad name, would not be mangled to 8.3).
+ my $badname_target = "$badnames_shrdir/\240\276\346\327\377\177";
+ unless (open(BADNAME_TARGET, ">$badname_target")) {
+ warn("Unable to open $badname_target");
+ return undef;
+ }
+ close(BADNAME_TARGET);
+ chmod 0666, $badname_target;
+
+ ## (A bad good name).
+ my $badname_target = "$badnames_shrdir/blank.txt";
+ unless (open(BADNAME_TARGET, ">$badname_target")) {
+ warn("Unable to open $badname_target");
+ return undef;
+ }
+ close(BADNAME_TARGET);
+ chmod 0666, $badname_target;
+
my $conffile="$libdir/server.conf";
my $nss_wrapper_pl = "$ENV{PERL}
$self->{srcdir}/lib/nss_wrapper/nss_wrapper.pl";
@@ -1182,6 +1215,10 @@ sub provision($$$$$$)
fruit:metadata = netatalk
fruit:locking = netatalk
fruit:encoding = native
+
+[badname-tmp]
+ path = $badnames_shrdir
+ guest ok = yes
";
close(CONF);
diff --git a/source3/include/safe_string.h b/source3/include/safe_string.h
index 03878b4..e77017c 100644
--- a/source3/include/safe_string.h
+++ b/source3/include/safe_string.h
@@ -62,6 +62,7 @@
#endif /* !_SPLINT_ */
+#include "../libcli/util/ntstatus.h"
#include "lib/util/string_wrappers.h"
#endif
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index cfc495d..2b0830c 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -551,7 +551,6 @@ _PUBLIC_ void strupper_m(char *s)
bool strupper_m(char *s)
{
size_t len;
- int errno_save;
bool ret = false;
/* this is quite a common operation, so we want it to be
@@ -570,14 +569,11 @@ bool strupper_m(char *s)
/* I assume that lowercased string takes the same number of bytes
* as source string even in multibyte encoding. (VIV) */
len = strlen(s) + 1;
- errno_save = errno;
- errno = 0;
ret = unix_strupper(s,len,s,len);
/* Catch mb conversion errors that may not terminate. */
- if (errno) {
+ if (!ret) {
s[len-1] = '\0';
}
- errno = errno_save;
return ret;
}
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 3430cd0..3a3943b 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1178,10 +1178,16 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct
*handle,
shadow_data->num_volumes, fsp_str_dbg(fsp)));
if (labels && shadow_data->labels) {
for (i=0; i<shadow_data->num_volumes; i++) {
- srvstr_push(cur_pdata, req_flags,
+ size_t len = 0;
+ status = srvstr_push(cur_pdata, req_flags,
cur_pdata, shadow_data->labels[i],
2 * sizeof(SHADOW_COPY_LABEL),
- STR_UNICODE|STR_TERMINATE);
+ STR_UNICODE|STR_TERMINATE, &len);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(*out_data);
+ TALLOC_FREE(shadow_data);
+ return status;
+ }
cur_pdata += 2 * sizeof(SHADOW_COPY_LABEL);
DEBUGADD(10,("Label[%u]:
'%s'\n",i,shadow_data->labels[i]));
}
diff --git a/source3/script/tests/test_smbclient_s3.sh
b/source3/script/tests/test_smbclient_s3.sh
index 596cd42..67ac94a 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -722,6 +722,146 @@ EOF
fi
}
+# Test accessing an share with bad names (won't convert).
+test_bad_names()
+{
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD
//$SERVER/badname-tmp -I $SERVER_IP $ADDARGS -c ls 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed accessing badname-tmp (SMB1) with error $ret"
+ false
+ return
+ fi
+
+ echo "$out" | wc -l 2>&1 | grep 6
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep of number of lines (1) failed
with $ret"
+ false
+ fi
+
+ echo "$out" | grep 'Domain=.*OS=.*Server='
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (1) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ \. *D'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (2) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ \.\. *D'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (3) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ blank.txt *N'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (4) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ *$'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (5) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep 'blocks of size.*blocks available'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - grep (6) failed with $ret"
+ false
+ fi
+
+ # Now check again with -mSMB3
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD
//$SERVER/badname-tmp -I $SERVER_IP -mSMB3 $ADDARGS -c ls 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed accessing badname-tmp (SMB3) with error $ret"
+ false
+ return
+ fi
+
+ echo "$out" | wc -l 2>&1 | grep 6
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep of number of lines (1)
failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep 'Domain=.*OS=.*Server='
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (1) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ \. *D'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (2) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ \.\. *D'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (3) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ blank.txt *N'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (4) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep '^ *$'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (5) failed with $ret"
+ false
+ fi
+
+ echo "$out" | grep 'blocks of size.*blocks available'
+ ret=$?
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed listing \\badname-tmp - SMB3 grep (6) failed with $ret"
+ false
+ fi
+}
LOGDIR_PREFIX=test_smbclient_s3
@@ -798,6 +938,10 @@ testit "list with backup privilege" \
test_backup_privilege_list || \
failed=`expr $failed + 1`
+testit "list a share with bad names (won't convert)" \
+ test_bad_names || \
+ failed=`expr $failed + 1`
+
testit "rm -rf $LOGDIR" \
rm -rf $LOGDIR || \
failed=`expr $failed + 1`
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 6c811fe..e60bc2c 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1215,6 +1215,30 @@ static bool smbd_dirptr_8_3_match_fn(TALLOC_CTX *ctx,
mangle_mask_match(conn, dname, mask)) {
char mname[13];
const char *fname;
+ /*
+ * Ensure we can push the original name as UCS2. If
+ * not, then just don't return this name.
+ */
+ NTSTATUS status;
+ size_t ret_len = 0;
+ size_t len = (strlen(dname) + 2) * 4; /* Allow enough space. */
+ uint8_t *tmp = talloc_array(talloc_tos(),
+ uint8,
+ len);
+
+ status = srvstr_push(NULL,
+ FLAGS2_UNICODE_STRINGS,
+ tmp,
+ dname,
+ len,
+ STR_TERMINATE,
+ &ret_len);
+
+ TALLOC_FREE(tmp);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
if (!mangle_is_8_3(dname, false, conn->params)) {
bool ok = name_to_8_3(dname, mname, false,
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index f78ce45..5a8e3bd 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -185,7 +185,7 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx,
uint32_t *_mode,
long *_prev_offset);
-bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
+NTSTATUS smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
connection_struct *conn,
struct dptr_struct *dirptr,
uint16 flags2,
@@ -201,7 +201,6 @@ bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
char *base_data,
char *end_data,
int space_remaining,
- bool *out_of_space,
bool *got_exact_match,
int *_last_entry_off,
struct ea_list *name_list);
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index b7c74e9..ac4873d 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -3655,8 +3655,13 @@ static bool api_RNetServerGetInfo(struct
smbd_server_connection *sconn,
}
if (uLevel != 20) {
- srvstr_push(NULL, 0, p, info.info101->server_name, 16,
- STR_ASCII|STR_UPPER|STR_TERMINATE);
+ size_t len = 0;
+ status = srvstr_push(NULL, 0, p, info.info101->server_name, 16,
+ STR_ASCII|STR_UPPER|STR_TERMINATE, &len);
+ if (!NT_STATUS_IS_OK(status)) {
+ errcode = W_ERROR_V(ntstatus_to_werror(status));
+ goto out;
+ }
}
p += 16;
if (uLevel > 0) {
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index f2b5888..3a5ebcc 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -1011,8 +1011,8 @@ bool is_share_read_only_for_token(const char *username,
/* The following definitions come from smbd/srvstr.c */
-size_t srvstr_push_fn(const char *base_ptr, uint16 smb_flags2, void *dest,
- const char *src, int dest_len, int flags);
+NTSTATUS srvstr_push_fn(const char *base_ptr, uint16 smb_flags2, void *dest,
+ const char *src, int dest_len, int flags, size_t
*ret_len);
ssize_t message_push_string(uint8 **outbuf, const char *str, int flags);
/* The following definitions come from smbd/statcache.c */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 2422ad3..3c22bbb 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1099,6 +1099,8 @@ void reply_ioctl(struct smb_request *req)
switch (ioctl_code) {
case IOCTL_QUERY_JOB_INFO:
{
+ NTSTATUS status;
+ size_t len = 0;
files_struct *fsp = file_fsp(
req, SVAL(req->vwv+0, 0));
if (!fsp) {
@@ -1109,15 +1111,25 @@ void reply_ioctl(struct smb_request *req)
/* Job number */
SSVAL(p, 0, print_spool_rap_jobid(fsp->print_file));
- srvstr_push((char *)req->outbuf, req->flags2, p+2,
+ status = srvstr_push((char *)req->outbuf, req->flags2,
p+2,
lp_netbios_name(), 15,
- STR_TERMINATE|STR_ASCII);
+ STR_TERMINATE|STR_ASCII, &len);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ END_PROFILE(SMBioctl);
+ return;
+ }
if (conn) {
- srvstr_push((char *)req->outbuf, req->flags2,
+ status = srvstr_push((char *)req->outbuf,
req->flags2,
p+18,
lp_servicename(talloc_tos(),
SNUM(conn)),
- 13, STR_TERMINATE|STR_ASCII);
+ 13, STR_TERMINATE|STR_ASCII, &len);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ END_PROFILE(SMBioctl);
+ return;
+ }
} else {
memset(p+18, 0, 13);
}
@@ -5791,6 +5803,7 @@ void reply_printqueue(struct smb_request *req)
char *p = blob;
time_t qtime =
spoolss_Time_to_time_t(&info[i].info2.submitted);
int qstatus;
+ size_t len = 0;
uint16_t qrapjobid = pjobid_to_rap(sharename,
info[i].info2.job_id);
@@ -5805,9 +5818,12 @@ void reply_printqueue(struct smb_request *req)
SSVAL(p, 5, qrapjobid);
SIVAL(p, 7, info[i].info2.size);
SCVAL(p, 11, 0);
- srvstr_push(blob, req->flags2, p+12,
- info[i].info2.notify_name, 16, STR_ASCII);
-
+ status = srvstr_push(blob, req->flags2, p+12,
+ info[i].info2.notify_name, 16, STR_ASCII,
&len);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ goto out;
+ }
if (message_push_blob(
&req->outbuf,
data_blob_const(
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 45b0890..2dab86b 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -432,14 +432,12 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX
*mem_ctx,
true);
while (true) {
- bool ok;
bool got_exact_match = false;
- bool out_of_space = false;
int space_remaining = in_output_buffer_length - off;
SMB_ASSERT(space_remaining >= 0);
- ok = smbd_dirptr_lanman2_entry(state,
--
Samba Shared Repository
