Someone sent me a trace showing a client doing a readraw request

with a completely bogus FID (0xFFFF). This was causing the new
2.0 code to crash by indirecting through a null pointer, as
the old debug code wanted to print this fid value, and was
using fsp->fnum to do it - erroneously assuming that fsp
was non-null.
Jeremy.

1 files changed, 10 insertions, 7 deletions

diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index ec2bdcb55cd..6728ef61e3c 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -1916,6 +1916,16 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s
 
   fsp = file_fsp(inbuf,smb_vwv0);
 
+  if (!FNUM_OK(fsp,conn) || !fsp->can_read) {
+	  /*
+	   * fsp could be NULL here so use the value from the packet. JRA.
+	   */
+	  DEBUG(3,("fnum %d not open in readbraw - cache prime?\n",(int)SVAL(inbuf,smb_vwv0)));
+	  _smb_setlen(header,0);
+	  transfer_file(0,Client,(SMB_OFF_T)0,header,4,0);
+	  return(-1);
+  }
+
   startpos = IVAL(inbuf,smb_vwv1);
   if(CVAL(inbuf,smb_wct) == 10) {
     /*
@@ -1956,13 +1966,6 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s
   maxcount = MIN(65535,maxcount);
   maxcount = MAX(mincount,maxcount);
 
-  if (!FNUM_OK(fsp,conn) || !fsp->can_read) {
-	  DEBUG(3,("fnum %d not open in readbraw - cache prime?\n",fsp->fnum));
-	  _smb_setlen(header,0);
-	  transfer_file(0,Client,(SMB_OFF_T)0,header,4,0);
-	  return(-1);
-  }
-
   if (!is_locked(fsp,conn,maxcount,startpos, F_RDLCK))
   {
     SMB_OFF_T size = fsp->size;