Mercurial > illumos > illumos-gate
changeset 13516:5a0585080fb5
1761 Codenomicon findings in smbsrv
Reviewed by: Dan McDonald <danmcd@nexenta.com>
Reviewed by: Albert Lee <trisk@nexenta.com>
Approved by: Garrett D'Amore <garrett@nexenta.com>
author | Gordon Ross <gwr@nexenta.com> |
---|---|
date | Fri, 11 Nov 2011 21:50:53 -0500 |
parents | 3e8376ea8eb0 |
children | 86bdede5c41c |
files | usr/src/uts/common/fs/smbsrv/smb_dispatch.c usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c usr/src/uts/common/fs/smbsrv/smb_session.c usr/src/uts/common/fs/smbsrv/smb_write.c |
diffstat | 4 files changed, 16 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/fs/smbsrv/smb_dispatch.c Fri Nov 11 21:55:53 2011 -0500 +++ b/usr/src/uts/common/fs/smbsrv/smb_dispatch.c Fri Nov 11 21:50:53 2011 -0500 @@ -20,6 +20,7 @@ */ /* + * Copyright 2011 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. */ @@ -523,6 +524,7 @@ smb_session_t *session; uint32_t capabilities; uint32_t byte_count; + uint32_t max_bytes; session = sr->session; capabilities = session->capabilities; @@ -624,12 +626,18 @@ * and this is SmbReadX/SmbWriteX since this enables * large reads/write and bcc is only 16-bits. */ + max_bytes = sr->command.max_bytes - sr->command.chain_offset; if (((sr->smb_com == SMB_COM_READ_ANDX) && (capabilities & CAP_LARGE_READX)) || ((sr->smb_com == SMB_COM_WRITE_ANDX) && (capabilities & CAP_LARGE_WRITEX))) { - byte_count = sr->command.max_bytes - sr->command.chain_offset; + /* May be > BCC */ + byte_count = max_bytes; + } else if (max_bytes < (uint32_t)sr->smb_bcc) { + /* BCC is bogus. Will fail later. */ + byte_count = max_bytes; } else { + /* ordinary case */ byte_count = (uint32_t)sr->smb_bcc; }
--- a/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c Fri Nov 11 21:55:53 2011 -0500 +++ b/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c Fri Nov 11 21:50:53 2011 -0500 @@ -20,6 +20,7 @@ */ /* + * Copyright 2011 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. */ @@ -201,7 +202,7 @@ node = sr->fid_ofile->f_node; - if (!smb_node_is_dir(node)) { + if (node == NULL || !smb_node_is_dir(node)) { /* * Notify change requests are only valid on directories. */
--- a/usr/src/uts/common/fs/smbsrv/smb_session.c Fri Nov 11 21:55:53 2011 -0500 +++ b/usr/src/uts/common/fs/smbsrv/smb_session.c Fri Nov 11 21:50:53 2011 -0500 @@ -19,6 +19,7 @@ * CDDL HEADER END */ /* + * Copyright 2011 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/atomic.h> @@ -367,6 +368,7 @@ mutex_enter(&sr->sr_mutex); switch (sr->sr_state) { + case SMB_REQ_STATE_INITIALIZING: case SMB_REQ_STATE_SUBMITTED: case SMB_REQ_STATE_ACTIVE: case SMB_REQ_STATE_CLEANED_UP: @@ -404,11 +406,8 @@ * is completing. */ break; - /* - * Cases included: - * SMB_REQ_STATE_FREE: - * SMB_REQ_STATE_INITIALIZING: - */ + + case SMB_REQ_STATE_FREE: default: SMB_PANIC(); }
--- a/usr/src/uts/common/fs/smbsrv/smb_write.c Fri Nov 11 21:55:53 2011 -0500 +++ b/usr/src/uts/common/fs/smbsrv/smb_write.c Fri Nov 11 21:50:53 2011 -0500 @@ -20,6 +20,7 @@ */ /* + * Copyright 2011 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. */ @@ -29,14 +30,6 @@ #include <smbsrv/netbios.h> -/* - * The limit in bytes that the marshalling will grow the buffer - * chain to accomodate incoming data on SmbWriteX requests. - * This sets the upper limit for the data-count per SmbWriteX - * request. - */ -#define SMB_WRITEX_MAX 102400 - static int smb_write_truncate(smb_request_t *, smb_rw_param_t *); @@ -418,7 +411,6 @@ return (SDRC_ERROR); } - sr->smb_data.max_bytes = SMB_WRITEX_MAX; rc = smbsr_decode_data(sr, "#.#B", param->rw_dsoff, param->rw_count, ¶m->rw_vdb);