← Back to branch summary

~ubuntu-branches/ubuntu/intrepid/samba/intrepid-updates

« back to all changes in this revision

Viewing changes to source/smbd/nttrans.c

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2008-06-02 09:01:46 UTC
  • mfrom: (0.25.3 upstream)
  • Revision ID: james.westby@ubuntu.com-20080602090146-92ur4nx39ccg708r
Tags: 2:3.0.30-2ubuntu1
https://launchpad.net/bugs/32067
https://launchpad.net/bugs/201059
https://launchpad.net/bugs/206036
* Merge from debian unstable, remaining changes:
  * debian/patches/VERSION.patch
    - set SAMABA_VERSION_VENDOR_SUFFIX to Ubuntu
  * debian/smb.conf
    - add "(Samba, Ubuntu)" to server string.
    - comment out the default [homes] shares, and a comment about
      "value users = %S to show users how to restrict access to 
      \\server\useranem to only username.
    - Add map to guest = Bad user, maps bad username to guest access.
      (LP: #32067)
  * debian/samba-common.postinst:
    - Fix upgrade from a first installation done with feisty, edgy, or dapper.
      (LP: #201059)
    - When populating the new sambashare group, it's not an error if the user
      simply doesn't exist; test for this case and the install continue 
      instead of aborting. (LP: #206036)
  * debian/smba-common.config:
    - do not change priority to HIGH if dhclient3 is installed
    - used priority medium instead of hight for the workgroup question
  * debian/winbind.files
    - insclude additional files
  * debian/patches/fix-documentation.patch:
    - fix typos in net(8) and smb.conf(5) man pages
  * debian/mksambapasswd.awk:
    - Don't add user with UID less than 1000 to smbpasswd.
  * debian/samba.init:
    - add 'status' option for LSB conformance.
  * Updated control version.
  * Dropped Changes:
    - Dropped debian/patches/fix-smbprinting-os2.patch. Accepted upstream.
    - Dropped debian/patches/fix-documentation.patch. Accepted upstream.
     

Show diffs side-by-side

added added

removed removed

Lines of Context:
source/smbd/nttrans.c
2978
2978
        uint32 psoff = IVAL(inbuf,smb_nt_ParameterOffset);
2979
2979
        uint32 dscnt = IVAL(inbuf,smb_nt_DataCount);
2980
2980
        uint32 dsoff = IVAL(inbuf,smb_nt_DataOffset);
2981
 
        
 
2981
        uint32 av_size = size-4;
 
2982
 
2982
2983
        uint16 function_code = SVAL( inbuf, smb_nt_Function);
2983
2984
        NTSTATUS result;
2984
2985
        struct trans_state *state;
3049
3050
                        END_PROFILE(SMBnttrans);
3050
3051
                        return(ERROR_DOS(ERRDOS,ERRnomem));
3051
3052
                } 
3052
 
                if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
3053
 
                        goto bad_param;
3054
 
                if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
3055
 
                    (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
3056
 
                        goto bad_param;
 
3053
 
 
3054
                if (dscnt > state->total_data ||
 
3055
                                dsoff+dscnt < dsoff) {
 
3056
                        goto bad_param;
 
3057
                }
 
3058
 
 
3059
                if (dsoff > av_size ||
 
3060
                                dscnt > av_size ||
 
3061
                                dsoff+dscnt > av_size) {
 
3062
                        goto bad_param;
 
3063
                }
3057
3064
 
3058
3065
                memcpy(state->data,smb_base(inbuf)+dsoff,dscnt);
3059
3066
        }
3069
3076
                        END_PROFILE(SMBnttrans);
3070
3077
                        return(ERROR_DOS(ERRDOS,ERRnomem));
3071
3078
                } 
3072
 
                if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
3073
 
                        goto bad_param;
3074
 
                if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
3075
 
                    (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)))
3076
 
                        goto bad_param;
 
3079
 
 
3080
                if (pscnt > state->total_param ||
 
3081
                                psoff+pscnt < psoff) {
 
3082
                        goto bad_param;
 
3083
                }
 
3084
 
 
3085
                if (psoff > av_size ||
 
3086
                                pscnt > av_size ||
 
3087
                                psoff+pscnt > av_size) {
 
3088
                        goto bad_param;
 
3089
                }
3077
3090
 
3078
3091
                memcpy(state->param,smb_base(inbuf)+psoff,pscnt);
3079
3092
        }
3144
3157
                   int size,int bufsize)
3145
3158
{
3146
3159
        int outsize = 0;
3147
 
        unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
 
3160
        uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
 
3161
        uint32_t av_size = size-4;
3148
3162
        struct trans_state *state;
3149
3163
 
3150
3164
        START_PROFILE(SMBnttranss);
3188
3202
                goto bad_param;
3189
3203
 
3190
3204
        if (pcnt) {
3191
 
                if (pdisp+pcnt > state->total_param)
3192
 
                        goto bad_param;
3193
 
                if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
3194
 
                        goto bad_param;
3195
 
                if (pdisp > state->total_param)
3196
 
                        goto bad_param;
3197
 
                if ((smb_base(inbuf) + poff + pcnt > inbuf + size) ||
3198
 
                    (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
3199
 
                        goto bad_param;
3200
 
                if (state->param + pdisp < state->param)
3201
 
                        goto bad_param;
 
3205
                if (pdisp > state->total_param ||
 
3206
                                pcnt > state->total_param ||
 
3207
                                pdisp+pcnt > state->total_param ||
 
3208
                                pdisp+pcnt < pdisp) {
 
3209
                        goto bad_param;
 
3210
                }
 
3211
 
 
3212
                if (poff > av_size ||
 
3213
                                pcnt > av_size ||
 
3214
                                poff+pcnt > av_size ||
 
3215
                                poff+pcnt < poff) {
 
3216
                        goto bad_param;
 
3217
                }
3202
3218
 
3203
3219
                memcpy(state->param+pdisp,smb_base(inbuf)+poff,
3204
3220
                       pcnt);
3205
3221
        }
3206
3222
 
3207
3223
        if (dcnt) {
3208
 
                if (ddisp+dcnt > state->total_data)
3209
 
                        goto bad_param;
3210
 
                if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
3211
 
                        goto bad_param;
3212
 
                if (ddisp > state->total_data)
3213
 
                        goto bad_param;
3214
 
                if ((smb_base(inbuf) + doff + dcnt > inbuf + size) ||
3215
 
                    (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
3216
 
                        goto bad_param;
3217
 
                if (state->data + ddisp < state->data)
3218
 
                        goto bad_param;
 
3224
                if (ddisp > state->total_data ||
 
3225
                                dcnt > state->total_data ||
 
3226
                                ddisp+dcnt > state->total_data ||
 
3227
                                ddisp+dcnt < ddisp) {
 
3228
                        goto bad_param;
 
3229
                }
 
3230
 
 
3231
                if (ddisp > av_size ||
 
3232
                                dcnt > av_size ||
 
3233
                                ddisp+dcnt > av_size ||
 
3234
                                ddisp+dcnt < ddisp) {
 
3235
                        goto bad_param;
 
3236
                }
3219
3237
 
3220
3238
                memcpy(state->data+ddisp, smb_base(inbuf)+doff,
3221
3239
                       dcnt);