1761 Codenomicon findings in smbsrv
Reviewed by: Dan McDonald <
[email protected]>
Reviewed by: Albert Lee <
[email protected]>
Approved by: Garrett D'Amore <
[email protected]>
--- a/usr/src/uts/common/fs/smbsrv/smb_dispatch.c Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_dispatch.c Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
*/
/*
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
*/
@@ -523,6 +524,7 @@
smb_session_t *session;
uint32_t capabilities;
uint32_t byte_count;
+ uint32_t max_bytes;
session = sr->session;
capabilities = session->capabilities;
@@ -624,12 +626,18 @@
* and this is SmbReadX/SmbWriteX since this enables
* large reads/write and bcc is only 16-bits.
*/
+ max_bytes = sr->command.max_bytes - sr->command.chain_offset;
if (((sr->smb_com == SMB_COM_READ_ANDX) &&
(capabilities & CAP_LARGE_READX)) ||
((sr->smb_com == SMB_COM_WRITE_ANDX) &&
(capabilities & CAP_LARGE_WRITEX))) {
- byte_count = sr->command.max_bytes - sr->command.chain_offset;
+ /* May be > BCC */
+ byte_count = max_bytes;
+ } else if (max_bytes < (uint32_t)sr->smb_bcc) {
+ /* BCC is bogus. Will fail later. */
+ byte_count = max_bytes;
} else {
+ /* ordinary case */
byte_count = (uint32_t)sr->smb_bcc;
}
--- a/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
*/
/*
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
*/
@@ -201,7 +202,7 @@
node = sr->fid_ofile->f_node;
- if (!smb_node_is_dir(node)) {
+ if (node == NULL || !smb_node_is_dir(node)) {
/*
* Notify change requests are only valid on directories.
*/
--- a/usr/src/uts/common/fs/smbsrv/smb_session.c Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_session.c Fri Nov 11 21:50:53 2011 -0500
@@ -19,6 +19,7 @@
* CDDL HEADER END
*/
/*
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
*/
#include <sys/atomic.h>
@@ -367,6 +368,7 @@
mutex_enter(&sr->sr_mutex);
switch (sr->sr_state) {
+ case SMB_REQ_STATE_INITIALIZING:
case SMB_REQ_STATE_SUBMITTED:
case SMB_REQ_STATE_ACTIVE:
case SMB_REQ_STATE_CLEANED_UP:
@@ -404,11 +406,8 @@
* is completing.
*/
break;
- /*
- * Cases included:
- * SMB_REQ_STATE_FREE:
- * SMB_REQ_STATE_INITIALIZING:
- */
+
+ case SMB_REQ_STATE_FREE:
default:
SMB_PANIC();
}
--- a/usr/src/uts/common/fs/smbsrv/smb_write.c Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_write.c Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
*/
/*
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
*/
@@ -29,14 +30,6 @@
#include <smbsrv/netbios.h>
-/*
- * The limit in bytes that the marshalling will grow the buffer
- * chain to accomodate incoming data on SmbWriteX requests.
- * This sets the upper limit for the data-count per SmbWriteX
- * request.
- */
-#define SMB_WRITEX_MAX 102400
-
static int smb_write_truncate(smb_request_t *, smb_rw_param_t *);
@@ -418,7 +411,6 @@
return (SDRC_ERROR);
}
- sr->smb_data.max_bytes = SMB_WRITEX_MAX;
rc = smbsr_decode_data(sr, "#.#B", param->rw_dsoff, param->rw_count,
¶m->rw_vdb);