diff options
author | Gordon Ross <gwr@nexenta.com> | 2019-11-22 23:39:36 -0500 |
---|---|---|
committer | Gordon Ross <gordon.ross@tintri.com> | 2021-02-27 13:33:24 -0500 |
commit | 25a9a7aaf35c7e4a2b5a57d3875af906147710d5 (patch) | |
tree | 32d4dabef674b6ff39dbd02891b5aedb90c803b3 /usr/src/common | |
parent | 4d00d81bf82141f996e032f9c53e0e996a5f7204 (diff) | |
download | illumos-joyent-25a9a7aaf35c7e4a2b5a57d3875af906147710d5.tar.gz |
13572 SMB Query FileFsVolumeInformation should allow truncation
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: C Fraire <cfraire@me.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>
Diffstat (limited to 'usr/src/common')
-rw-r--r-- | usr/src/common/smbsrv/smb_msgbuf.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/usr/src/common/smbsrv/smb_msgbuf.c b/usr/src/common/smbsrv/smb_msgbuf.c index b11cd39a50..5a58a80f37 100644 --- a/usr/src/common/smbsrv/smb_msgbuf.c +++ b/usr/src/common/smbsrv/smb_msgbuf.c @@ -22,7 +22,7 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -733,8 +733,6 @@ msgbuf_put_oem_string(smb_msgbuf_t *mb, char *mbs, int repc) if ((mb->flags & SMB_MSGBUF_NOTERM) == 0) repc += sizeof (char); } - if (smb_msgbuf_has_space(mb, repc) == 0) - return (SMB_MSGBUF_OVERFLOW); /* * Convert into a temporary buffer @@ -756,6 +754,8 @@ msgbuf_put_oem_string(smb_msgbuf_t *mb, char *mbs, int repc) */ s = oembuf; while (repc > 0) { + if (smb_msgbuf_has_space(mb, 1) == 0) + return (SMB_MSGBUF_OVERFLOW); *mb->scan++ = *s; if (*s != '\0') s++; @@ -777,6 +777,7 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc) { smb_wchar_t *wcsbuf = NULL; smb_wchar_t *wp; + smb_wchar_t wchar; size_t wcslen, wcsbytes; size_t rlen; @@ -800,8 +801,6 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc) if ((mb->flags & SMB_MSGBUF_NOTERM) == 0) repc += sizeof (smb_wchar_t); } - if (smb_msgbuf_has_space(mb, repc) == 0) - return (SMB_MSGBUF_OVERFLOW); /* * Convert into a temporary buffer @@ -824,16 +823,21 @@ msgbuf_put_unicode_string(smb_msgbuf_t *mb, char *mbs, int repc) * little-endian order while copying. */ wp = wcsbuf; - while (repc > 1) { - smb_wchar_t wchar = LE_IN16(wp); + while (repc >= sizeof (smb_wchar_t)) { + if (smb_msgbuf_has_space(mb, sizeof (smb_wchar_t)) == 0) + return (SMB_MSGBUF_OVERFLOW); + wchar = LE_IN16(wp); LE_OUT16(mb->scan, wchar); mb->scan += 2; if (wchar != 0) wp++; repc -= sizeof (smb_wchar_t); } - if (repc > 0) + if (repc > 0) { + if (smb_msgbuf_has_space(mb, 1) == 0) + return (SMB_MSGBUF_OVERFLOW); *mb->scan++ = '\0'; + } return (0); } |