diff options
| author | Jeremy Allison <jra@samba.org> | 2007-07-09 00:48:07 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:23:52 -0500 |
| commit | af715c602a8ef6038e6272c7cc6a08501617ae67 (patch) | |
| tree | 83db2e3ee27ca70dbc72ed58ec84c8264620ca45 /source | |
| parent | b68856d9902f41079224ba11c7d0ab811b082201 (diff) | |
| download | samba-af715c602a8ef6038e6272c7cc6a08501617ae67.tar.gz samba-af715c602a8ef6038e6272c7cc6a08501617ae67.tar.xz samba-af715c602a8ef6038e6272c7cc6a08501617ae67.zip | |
r23752: Fix bug introduced by checkin 22920, allow large
readX. Fix from Dmitry Shatrov <dhsatrov@linux.vnet.ibm.com>.
"In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
to an invalid large value due to integer overflow.
As for me, this resulted in MS Word hanging while trying to save
a 1.5Mb document."
This isn't in shipping code.
Jeremy.
Diffstat (limited to 'source')
| -rw-r--r-- | source/smbd/reply.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/source/smbd/reply.c b/source/smbd/reply.c index 6e41de4ec9a..b17fa1949bc 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -2590,9 +2590,7 @@ int send_file_readX(connection_struct *conn, char *inbuf,char *outbuf,int length if (startpos > sbuf.st_size) { smb_maxcnt = 0; - } - - if (smb_maxcnt > (sbuf.st_size - startpos)) { + } else if (smb_maxcnt > (sbuf.st_size - startpos)) { smb_maxcnt = (sbuf.st_size - startpos); } |