diff options
| author | Jeremy Allison <jra@samba.org> | 2014-08-25 17:11:58 -0700 |
|---|---|---|
| committer | David Disseldorp <ddiss@samba.org> | 2014-09-16 01:56:54 +0200 |
| commit | 0519088c53b201b7ca1f144f3f2da052c612c0e7 (patch) | |
| tree | 59d41b8d7869877d0c8579fb2663817a618f9f84 /source3/smbd/reply.c | |
| parent | c7b89bb9e5531be378c1b71fa7165f3ce74c83bb (diff) | |
| download | samba-0519088c53b201b7ca1f144f3f2da052c612c0e7.tar.gz samba-0519088c53b201b7ca1f144f3f2da052c612c0e7.tar.xz samba-0519088c53b201b7ca1f144f3f2da052c612c0e7.zip | |
s3: smbd: Change the function signature of srvstr_push() from returning a length to returning an NTSTATUS with a length param.
srvstr_push_fn() now returns an NTSTATUS reporting any
string conversion failure.
We need to get serious about returning character set conversion errors
inside smbd.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Diffstat (limited to 'source3/smbd/reply.c')
| -rw-r--r-- | source3/smbd/reply.c | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 2422ad3629..3c22bbb09a 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -1099,6 +1099,8 @@ void reply_ioctl(struct smb_request *req) switch (ioctl_code) { case IOCTL_QUERY_JOB_INFO: { + NTSTATUS status; + size_t len = 0; files_struct *fsp = file_fsp( req, SVAL(req->vwv+0, 0)); if (!fsp) { @@ -1109,15 +1111,25 @@ void reply_ioctl(struct smb_request *req) /* Job number */ SSVAL(p, 0, print_spool_rap_jobid(fsp->print_file)); - srvstr_push((char *)req->outbuf, req->flags2, p+2, + status = srvstr_push((char *)req->outbuf, req->flags2, p+2, lp_netbios_name(), 15, - STR_TERMINATE|STR_ASCII); + STR_TERMINATE|STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBioctl); + return; + } if (conn) { - srvstr_push((char *)req->outbuf, req->flags2, + status = srvstr_push((char *)req->outbuf, req->flags2, p+18, lp_servicename(talloc_tos(), SNUM(conn)), - 13, STR_TERMINATE|STR_ASCII); + 13, STR_TERMINATE|STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBioctl); + return; + } } else { memset(p+18, 0, 13); } @@ -5791,6 +5803,7 @@ void reply_printqueue(struct smb_request *req) char *p = blob; time_t qtime = spoolss_Time_to_time_t(&info[i].info2.submitted); int qstatus; + size_t len = 0; uint16_t qrapjobid = pjobid_to_rap(sharename, info[i].info2.job_id); @@ -5805,9 +5818,12 @@ void reply_printqueue(struct smb_request *req) SSVAL(p, 5, qrapjobid); SIVAL(p, 7, info[i].info2.size); SCVAL(p, 11, 0); - srvstr_push(blob, req->flags2, p+12, - info[i].info2.notify_name, 16, STR_ASCII); - + status = srvstr_push(blob, req->flags2, p+12, + info[i].info2.notify_name, 16, STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } if (message_push_blob( &req->outbuf, data_blob_const( |