summaryrefslogtreecommitdiff
path: root/usr/src/common
diff options
context:
space:
mode:
authorGordon Ross <gwr@nexenta.com>2019-11-22 23:39:36 -0500
committerGordon Ross <gordon.ross@tintri.com>2021-02-27 13:33:24 -0500
commit25a9a7aaf35c7e4a2b5a57d3875af906147710d5 (patch)
tree32d4dabef674b6ff39dbd02891b5aedb90c803b3 /usr/src/common
parent4d00d81bf82141f996e032f9c53e0e996a5f7204 (diff)
downloadillumos-joyent-25a9a7aaf35c7e4a2b5a57d3875af906147710d5.tar.gz
13572 SMB Query FileFsVolumeInformation should allow truncation
Reviewed by: Matt Barden <matt.barden@nexenta.com> Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com> Reviewed by: C Fraire <cfraire@me.com> Approved by: Robert Mustacchi <rm@fingolfin.org>
Diffstat (limited to 'usr/src/common')
-rw-r--r--usr/src/common/smbsrv/smb_msgbuf.c20
1 files changed, 12 insertions, 8 deletions
diff --git a/usr/src/common/smbsrv/smb_msgbuf.c b/usr/src/common/smbsrv/smb_msgbuf.c
index b11cd39a50..5a58a80f37 100644
--- a/usr/src/common/smbsrv/smb_msgbuf.c
+++ b/usr/src/common/smbsrv/smb_msgbuf.c
@@ -22,7 +22,7 @@
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
- * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
*/
/*
@@ -733,8 +733,6 @@ msgbuf_put_oem_string(smb_msgbuf_t *mb, char *mbs, int repc)
if ((mb->flags & SMB_MSGBUF_NOTERM) == 0)
repc += sizeof (char);
}
- if (smb_msgbuf_has_space(mb, repc) == 0)
- return (SMB_MSGBUF_OVERFLOW);
/*
* Convert into a temporary buffer
@@ -756,6 +754,8 @@ msgbuf_put_oem_string(smb_msgbuf_t *mb, char *mbs, int repc)
*/
s = oembuf;
while (repc > 0) {
+ if (smb_msgbuf_has_space(mb, 1) == 0)
+ return (SMB_MSGBUF_OVERFLOW);
*mb->scan++ = *s;
if (*s != '\0')
s++;
@@ -777,6 +777,7 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc)
{
smb_wchar_t *wcsbuf = NULL;
smb_wchar_t *wp;
+ smb_wchar_t wchar;
size_t wcslen, wcsbytes;
size_t rlen;
@@ -800,8 +801,6 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc)
if ((mb->flags & SMB_MSGBUF_NOTERM) == 0)
repc += sizeof (smb_wchar_t);
}
- if (smb_msgbuf_has_space(mb, repc) == 0)
- return (SMB_MSGBUF_OVERFLOW);
/*
* Convert into a temporary buffer
@@ -824,16 +823,21 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc)
* little-endian order while copying.
*/
wp = wcsbuf;
- while (repc > 1) {
- smb_wchar_t wchar = LE_IN16(wp);
+ while (repc >= sizeof (smb_wchar_t)) {
+ if (smb_msgbuf_has_space(mb, sizeof (smb_wchar_t)) == 0)
+ return (SMB_MSGBUF_OVERFLOW);
+ wchar = LE_IN16(wp);
LE_OUT16(mb->scan, wchar);
mb->scan += 2;
if (wchar != 0)
wp++;
repc -= sizeof (smb_wchar_t);
}
- if (repc > 0)
+ if (repc > 0) {
+ if (smb_msgbuf_has_space(mb, 1) == 0)
+ return (SMB_MSGBUF_OVERFLOW);
*mb->scan++ = '\0';
+ }
return (0);
}