Changeset 751 for trunk/server/source3/smbd/process.c

Timestamp:

Nov 29, 2012, 1:59:04 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.9

File:

• trunk/server/source3/smbd/process.c (modified) (6 diffs)

trunk/server/source3/smbd/process.c

@@ -455 +455 @@
                                         p_unread, &len);
         if (!NT_STATUS_IS_OK(status)) {
-                DEBUG(1, ("read_smb_length_return_keepalive failed for "
-                          "client %s read error = %s.\n",
-                          sconn->client_id.addr, nt_errstr(status)));
+                DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
+                      ("receive_smb_raw_talloc failed for client %s "
+                       "read error = %s.\n",
+                       sconn->client_id.addr, nt_errstr(status)));
                 return status;
         }
@@ -1445 +1446 @@
         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
          * so subtract 4 from it. */
-        if (!valid_smb_header(req->inbuf)
-            || (size < (smb_size - 4))) {
+        if ((size < (smb_size - 4)) ||
+            !valid_smb_header(req->inbuf)) {
                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
                          smb_len(req->inbuf)));
@@ -2092 +2093 @@
 
         /*
-         * Check if the client tries to fool us. The request so far uses the
-         * space to the end of the byte buffer in the request just
-         * processed. The chain_offset can't point into that area. If that was
-         * the case, we could end up with an endless processing of the chain,
-         * we would always handle the same request.
+         * Check if the client tries to fool us. The chain offset
+         * needs to point beyond the current request in the chain, it
+         * needs to strictly grow. Otherwise we might be tricked into
+         * an endless loop always processing the same request over and
+         * over again. We used to assume that vwv and the byte buffer
+         * array in a chain are always attached, but OS/2 the
+         * Write&X/Read&X chain puts the Read&X vwv array right behind
+         * the Write&X vwv chain. The Write&X bcc array is put behind
+         * the Read&X vwv array. So now we check whether the chain
+         * offset points strictly behind the previous vwv
+         * array. req->buf points right after the vwv array of the
+         * previous request. See
+         * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
+         * information.
          */
 
-        already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
-        if (chain_offset < already_used) {
+        already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
+        if (chain_offset <= already_used) {
                 goto error;
         }
@@ -2801 +2811 @@
  * Handle SMBecho requests in a forked child process
  */
-static bool fork_echo_handler(struct smbd_server_connection *sconn)
+bool fork_echo_handler(struct smbd_server_connection *sconn)
 {
         int listener_pipe[2];
@@ -2915 +2925 @@
         int ret;
 
-        if (lp_maxprotocol() == PROTOCOL_SMB2 &&
-            !lp_async_smb_echo_handler()) {
+        if (lp_maxprotocol() == PROTOCOL_SMB2) {
                 /*
                  * We're not making the decision here,
@@ -3037 +3046 @@
         }
 
-        if (lp_async_smb_echo_handler() && !fork_echo_handler(sconn)) {
-                exit_server("Failed to fork echo handler");
-        }
-
         /* Setup oplocks */
         if (!init_oplocks(sconn->msg_ctx))