diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-11-18 13:45:37 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2014-04-11 21:41:08 +0200 |
commit | 1f767b29a89e15c4d7187cd0bc9b0c2e3152edd7 (patch) | |
tree | b815df001069b454287feb11fd24ab1a6ad32c65 /source3/smbd | |
parent | 95df39b99f17810cb230c4a6a0d0952919cd0b81 (diff) | |
download | samba-1f767b29a89e15c4d7187cd0bc9b0c2e3152edd7.tar.gz samba-1f767b29a89e15c4d7187cd0bc9b0c2e3152edd7.tar.xz samba-1f767b29a89e15c4d7187cd0bc9b0c2e3152edd7.zip |
s3:smb2_write: allow SMBD_SMB2_IN_DYN_LEN() to be 0 for the recvfile case.
For recvfile we haven't read and may not allocated the dyn buffer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/smb2_write.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c index 4e138fe6b06..c61254f644c 100644 --- a/source3/smbd/smb2_write.c +++ b/source3/smbd/smb2_write.c @@ -48,6 +48,8 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) uint64_t in_file_id_volatile; struct files_struct *in_fsp; uint32_t in_flags; + size_t in_dyn_len = 0; + uint8_t *in_dyn_ptr = NULL; struct tevent_req *subreq; status = smbd_smb2_request_verify_sizes(req, 0x31); @@ -67,7 +69,15 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } - if (in_data_length > SMBD_SMB2_IN_DYN_LEN(req)) { + if (req->smb1req != NULL && req->smb1req->unread_bytes > 0) { + in_dyn_ptr = NULL; + in_dyn_len = req->smb1req->unread_bytes; + } else { + in_dyn_ptr = SMBD_SMB2_IN_DYN_PTR(req); + in_dyn_len = SMBD_SMB2_IN_DYN_LEN(req); + } + + if (in_data_length > in_dyn_len) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } @@ -79,7 +89,10 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } - in_data_buffer.data = SMBD_SMB2_IN_DYN_PTR(req); + /* + * Note: that in_dyn_ptr is NULL for the recvfile case. + */ + in_data_buffer.data = in_dyn_ptr; in_data_buffer.length = in_data_length; status = smbd_smb2_request_verify_creditcharge(req, in_data_length); @@ -340,6 +353,9 @@ static struct tevent_req *smbd_smb2_write_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + /* + * Note: in_data.data is NULL for the recvfile case. + */ nwritten = write_file(smbreq, fsp, (const char *)in_data.data, in_offset, |