diff options
| author | Jeremy Allison <jra@samba.org> | 2014-08-25 17:05:47 -0700 |
|---|---|---|
| committer | David Disseldorp <ddiss@samba.org> | 2014-09-16 01:56:54 +0200 |
| commit | c7b89bb9e5531be378c1b71fa7165f3ce74c83bb (patch) | |
| tree | a8748fca2e5a586d39de34d86e82aa7bd2bf6646 /source3 | |
| parent | 5c7e272190a3aeaab40c6810826043f66a9c792b (diff) | |
s3: smbd: Ensure types for all variables called 'len' used in srvstr_push() are correct.
Bug 10775 - smbd crashes when accessing garbage filenames
https://bugzilla.samba.org/show_bug.cgi?id=10775
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/smbd/trans2.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 1e2c02e12d..70d29f291e 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -1594,7 +1594,7 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx, uint64_t file_size = 0; uint64_t allocation_size = 0; uint64_t file_index = 0; - uint32_t len; + size_t len = 0; struct timespec mdate_ts, adate_ts, cdate_ts, create_date_ts; time_t mdate = (time_t)0, adate = (time_t)0, create_date = (time_t)0; char *nameptr; @@ -3077,7 +3077,8 @@ NTSTATUS smbd_do_qfsinfo(struct smbXsrv_connection *xconn, int *ret_data_len) { char *pdata, *end_data; - int data_len = 0, len; + int data_len = 0; + size_t len = 0; const char *vname = volume_label(talloc_tos(), SNUM(conn)); int snum = SNUM(conn); const char *fstype = lp_fstype(SNUM(conn)); @@ -3187,9 +3188,9 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)st.st_ex_dev, (u STR_NOALIGN|STR_TERMINATE); SCVAL(pdata,l2_vol_cch,len); data_len = l2_vol_szVolLabel + len; - DEBUG(5,("smbd_do_qfsinfo : time = %x, namelen = %d, name = %s\n", + DEBUG(5,("smbd_do_qfsinfo : time = %x, namelen = %u, name = %s\n", (unsigned)convert_timespec_to_time_t(st.st_ex_ctime), - len, vname)); + (unsigned)len, vname)); break; case SMB_QUERY_FS_ATTRIBUTE_INFO: @@ -4426,6 +4427,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, uint64_t allocation_size = 0; uint64_t file_index = 0; uint32_t access_mask = 0; + size_t len = 0; if (INFO_LEVEL_IS_UNIX(info_level) && !lp_unix_extensions()) { return NT_STATUS_INVALID_LEVEL; @@ -4727,7 +4729,6 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, case SMB_QUERY_FILE_ALT_NAME_INFO: case SMB_FILE_ALTERNATE_NAME_INFORMATION: { - int len; char mangled_name[13]; DEBUG(10,("smbd_do_qfilepathinfo: SMB_FILE_ALTERNATE_NAME_INFORMATION\n")); if (!name_to_8_3(base_name,mangled_name, @@ -4746,7 +4747,6 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, case SMB_QUERY_FILE_NAME_INFO: { - int len; /* this must be *exactly* right for ACLs on mapped drives to work */ @@ -4777,7 +4777,6 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, case SMB_QUERY_FILE_ALL_INFO: case SMB_FILE_ALL_INFORMATION: { - int len; unsigned int ea_size = estimate_ea_size(conn, fsp, smb_fname); DEBUG(10,("smbd_do_qfilepathinfo: SMB_FILE_ALL_INFORMATION\n")); @@ -4810,7 +4809,6 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, case 0xFF12:/*SMB2_FILE_ALL_INFORMATION*/ { - int len; unsigned int ea_size = estimate_ea_size(conn, fsp, smb_fname); DEBUG(10,("smbd_do_qfilepathinfo: SMB2_FILE_ALL_INFORMATION\n")); @@ -5010,7 +5008,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, case SMB_QUERY_FILE_UNIX_LINK: { - int len; + int link_len = 0; char *buffer = talloc_array(mem_ctx, char, PATH_MAX+1); if (!buffer) { @@ -5025,13 +5023,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, #else return NT_STATUS_DOS(ERRDOS, ERRbadlink); #endif - len = SMB_VFS_READLINK(conn, + link_len = SMB_VFS_READLINK(conn, smb_fname->base_name, buffer, PATH_MAX); - if (len == -1) { + if (link_len == -1) { return map_nt_error_from_unix(errno); } - buffer[len] = 0; + buffer[link_len] = 0; len = srvstr_push(dstart, flags2, pdata, buffer, PTR_DIFF(dend, pdata), |