Check sizes of data entries in connections.tdb before deciding they're crecs...

We will need this when we use finer grained locking for max connections.
Jeremy.

4 files changed, 30 insertions, 7 deletions

diff --git a/source/lib/messages.c b/source/lib/messages.c
index 3b45a9c305c..b18cebf6cf5 100644
--- a/source/lib/messages.c
+++ b/source/lib/messages.c
@@ -361,9 +361,13 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void
 	struct connections_data crec;
 	struct msg_all *msg_all = (struct msg_all *)state;
 
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum != -1) return 0;
+	if (crec.cnum != -1)
+		return 0;
 
 	/* if the msg send fails because the pid was not found (i.e. smbd died), 
 	 * the msg has already been deleted from the messages.tdb.*/
diff --git a/source/smbd/connection.c b/source/smbd/connection.c
index 47579fa5f75..5a3fcc2975d 100644
--- a/source/smbd/connection.c
+++ b/source/smbd/connection.c
@@ -79,6 +79,9 @@ static int count_fn( TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *u
 	struct connections_data crec;
 	struct count_stat *cs = (struct count_stat *)udp;
  
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
  
 	if (crec.cnum == -1)
diff --git a/source/utils/status.c b/source/utils/status.c
index 243ccdd7557..55c3c1bad19 100644
--- a/source/utils/status.c
+++ b/source/utils/status.c
@@ -186,9 +186,13 @@ static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *st
 	struct session_record *ptr;
 	struct connections_data crec;
 
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum == -1) return 0;
+	if (crec.cnum == -1)
+		return 0;
 
 	if (!process_exists(crec.pid) || !Ucrit_checkUsername(uidtoname(crec.uid))) {
 		return 0;
diff --git a/source/web/statuspage.c b/source/web/statuspage.c
index 27a40d16958..51f2e8f00e6 100644
--- a/source/web/statuspage.c
+++ b/source/web/statuspage.c
@@ -1,6 +1,6 @@
 /* 
    Unix SMB/Netbios implementation.
-   Version 1.9.
+   Version 2.2.
    web status page
    Copyright (C) Andrew Tridgell 1997-1998
    
@@ -76,6 +76,10 @@ static void print_share_mode(share_mode_entry *e, char *fname)
 static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
 	if (crec.cnum == -1 && process_exists(crec.pid)) {
@@ -92,10 +96,14 @@ static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* st
 static int traverse_fn2(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 	
-	if (crec.cnum != -1 || !process_exists(crec.pid) ||
-	    (crec.pid == smbd_pid)) return 0;
+	if (crec.cnum != -1 || !process_exists(crec.pid) || (crec.pid == smbd_pid))
+		return 0;
 
 	printf("<tr><td>%d</td><td>%s</td><td>%s</td><td>%s</td>\n",
 	       (int)crec.pid,
@@ -114,9 +122,14 @@ static int traverse_fn2(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* st
 static int traverse_fn3(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* state)
 {
 	struct connections_data crec;
+
+	if (dbuf.dsize != sizeof(crec))
+		return 0;
+
 	memcpy(&crec, dbuf.dptr, sizeof(crec));
 
-	if (crec.cnum == -1 || !process_exists(crec.pid)) return 0;
+	if (crec.cnum == -1 || !process_exists(crec.pid))
+		return 0;
 
 	printf("<tr><td>%s</td><td>%s</td><td>%s</td><td>%d</td><td>%s</td><td>%s</td></tr>\n",
 	       crec.name,uidtoname(crec.uid),
@@ -278,4 +291,3 @@ void status_page(void)
 		printf("//-->\n</script>\n");
 	}
 }
-