Attachment #24025 for bug #61204

View | Details | Raw Unified | Return to bug 61204
Collapse All | Expand All

Lines 1689-1698 Link Here

(-)exclude (-4 / +2 lines)
1689	SMB FILESYSTEM	1689	SMB FILESYSTEM
1690	P: Urban Widmark	1690	P: Urban Widmark
1691	M: urban@teststation.com	1691	M: Urban.Widmark@enlight.net
1692	W: http://samba.org/	1692	S: Odd Fixes
1693	L: samba@samba.org
1694	S: Maintained
1695	SNA NETWORK LAYER	1693	SNA NETWORK LAYER
1696	P: Jay Schulist	1694	P: Jay Schulist




       data_len = WVAL(buf, 1);
       /* we can NOT simply trust the data_len given by the server ... */
       if (data_len > count ||
           data_len > server->packet_size - (buf+3 - server->packet)) {
               printk(KERN_ERR "smb_proc_read: invalid data length!! "
                      "%d > %d || %d > %d - (%p - %p)\n",
                      data_len, count,
                      data_len, server->packet_size, buf+3, server->packet);
               result = -EIO;
               goto out;

       buf = smb_base(server->packet) + data_off;
       /* we can NOT simply trust the info given by the server ... */
       if (data_len > count ||
           data_len > server->packet_size - (buf - server->packet)) {
               printk(KERN_ERR "smb_proc_read: invalid data length!! "
                      "%d > %d || %d > %d - (%p - %p)\n",
                      data_len, count,
                      data_len, server->packet_size, buf, server->packet);
               result = -EIO;
               goto out;

Lines 625-630 Link Here

(-)exclude (+3 lines)
625	server->packet = rcv_buf;	625	server->packet = rcv_buf;
626	rcv_buf = inbuf;	626	rcv_buf = inbuf;
627	} else {	627	} else {
		628	if (parm_len + data_len > buf_len)
		629	goto out_data_grew;
		630
628	PARANOIA("copying data, old size=%d, new size=%u\n",	631	PARANOIA("copying data, old size=%d, new size=%u\n",
629	server->packet_size, buf_len);	632	server->packet_size, buf_len);
630	memcpy(inbuf, rcv_buf, parm_len + data_len);	633	memcpy(inbuf, rcv_buf, parm_len + data_len);

Return to bug 61204

Lines 1289-1297 Link Here

(-)exclude (-4 / +8 lines)
1289	data_len = WVAL(buf, 1);	1289	data_len = WVAL(buf, 1);
1290	/* we can NOT simply trust the data_len given by the server ... */	1290	/* we can NOT simply trust the data_len given by the server ... */
1291	if (data_len > server->packet_size - (buf+3 - server->packet)) {	1291	if (data_len > count \|\|
		1292	data_len > server->packet_size - (buf+3 - server->packet)) {
1292	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1293	printk(KERN_ERR "smb_proc_read: invalid data length!! "
1293	"%d > %d - (%p - %p)\n",	1294	"%d > %d \|\| %d > %d - (%p - %p)\n",
		1295	data_len, count,
1294	data_len, server->packet_size, buf+3, server->packet);	1296	data_len, server->packet_size, buf+3, server->packet);
1295	result = -EIO;	1297	result = -EIO;
1296	goto out;	1298	goto out;
Lines 1378-1386 Link Here
1378	buf = smb_base(server->packet) + data_off;	1380	buf = smb_base(server->packet) + data_off;
1379	/* we can NOT simply trust the info given by the server ... */	1381	/* we can NOT simply trust the info given by the server ... */
1380	if (data_len > server->packet_size - (buf - server->packet)) {	1382	if (data_len > count \|\|
		1383	data_len > server->packet_size - (buf - server->packet)) {
1381	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1384	printk(KERN_ERR "smb_proc_read: invalid data length!! "
1382	"%d > %d - (%p - %p)\n",	1385	"%d > %d \|\| %d > %d - (%p - %p)\n",
		1386	data_len, count,
1383	data_len, server->packet_size, buf, server->packet);	1387	data_len, server->packet_size, buf, server->packet);
1384	result = -EIO;	1388	result = -EIO;
1385	goto out;	1389	goto out;