From f6afda0bc867f1080c45e1f6f79d5032c41d2b1a Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Mon, 27 Feb 2012 17:51:40 -0800 Subject: [PATCH] s3:smb2_server verify creditcharge for all requests that have max_???? checks, also do a check of the creditcharge the client has sent (when using largemtu) Signed-off-by: Jeremy Allison --- source3/smbd/smb2_find.c | 8 ++++++++ source3/smbd/smb2_getinfo.c | 6 ++++++ source3/smbd/smb2_notify.c | 7 +++++++ source3/smbd/smb2_read.c | 5 +++++ source3/smbd/smb2_setinfo.c | 6 ++++++ source3/smbd/smb2_write.c | 5 +++++ 6 files changed, 37 insertions(+) diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 99d3447860a..9c0d18b278f 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -282,6 +282,14 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + status = smbd_smb2_request_verify_creditcharge(smb2req, + in_output_buffer_length); + + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + switch (in_file_info_class) { case SMB2_FIND_DIRECTORY_INFO: info_level = SMB_FIND_FILE_DIRECTORY_INFO; diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 7d0f9468982..e8d918df388 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -97,6 +97,12 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } + status = smbd_smb2_request_verify_creditcharge(req, + MAX(in_input_buffer.length,in_output_buffer_length)); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c index be56b18799e..3f5365c154b 100644 --- a/source3/smbd/smb2_notify.c +++ b/source3/smbd/smb2_notify.c @@ -77,6 +77,13 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } + status = smbd_smb2_request_verify_creditcharge(req, + in_output_buffer_length); + + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c index 13bcbdfd19b..0b6e2ee4618 100644 --- a/source3/smbd/smb2_read.c +++ b/source3/smbd/smb2_read.c @@ -80,6 +80,11 @@ NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } + status = smbd_smb2_request_verify_creditcharge(req, in_length); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index ac6adc3d8fc..be506ccecf6 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -85,6 +85,12 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } + status = smbd_smb2_request_verify_creditcharge(req, + in_input_buffer.length); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c index b0ffd44b495..163672cdb11 100644 --- a/source3/smbd/smb2_write.c +++ b/source3/smbd/smb2_write.c @@ -88,6 +88,11 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) in_data_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base; in_data_buffer.length = in_data_length; + status = smbd_smb2_request_verify_creditcharge(req, in_data_length); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { -- 2.11.4.GIT