--- client/client.c +++ client/client.c @@ -1770,7 +1770,7 @@ static void wait_keyboard(void) session keepalives and then drop them here. */ if (FD_ISSET(cli->fd,&fds)) - receive_smb(cli->fd,cli->inbuf,0); + receive_smb(cli->fd, cli->inbuf, cli->bufsize, 0); cli_chkpath(cli, "\\"); } --- client/smbmount.c +++ client/smbmount.c @@ -161,7 +161,7 @@ static BOOL chkpath(char *path,BOOL report) #endif send_smb(Client,outbuf); - client_receive_smb(Client,inbuf,CLIENT_TIMEOUT); + client_receive_smb(Client, inbuf, sizeof(inbuf), CLIENT_TIMEOUT); if (report && CVAL(inbuf,smb_rcls) != 0) DEBUG(2,("chkpath: %s\n",smb_errstr(inbuf))); @@ -601,7 +601,7 @@ static void wait_keyboard(char *buffer) session keepalives and then drop them here. */ if (FD_ISSET(Client,&fds)) - receive_smb(Client,buffer,0); + receive_smb(Client, buffer, BUFFER_SIZE, 0); chkpath("\\",False); } --- lib/msrpc-agent.c +++ lib/msrpc-agent.c @@ -164,7 +164,7 @@ static BOOL process_cli_sock(struct sock_redir **socks, uint32 num_socks, } else { - if (!receive_smb(sock->c, packet, 0)) + if (!receive_smb(sock->c, packet, sizeof(packet), 0)) { DEBUG(0,("client closed connection\n")); return False; @@ -183,7 +183,7 @@ static BOOL process_srv_sock(struct sock_redir **socks, uint32 num_socks, int fd) { int i; - if (!receive_smb(fd, packet, 0)) + if (!receive_smb(fd, packet, sizeof(packet), 0)) { DEBUG(0,("server closed connection\n")); return False; --- libsmb/clientgen.c +++ libsmb/clientgen.c @@ -139,13 +139,14 @@ int cli_set_port(struct cli_state *cli, int port) should never go into a blocking read. ****************************************************************************/ -static BOOL client_receive_smb(Socket fd, char *buffer, unsigned int timeout) +static BOOL client_receive_smb(Socket fd, char *buffer, size_t bufsize, + unsigned int timeout) { BOOL ret; for (;;) { - ret = receive_smb(fd, buffer, timeout); + ret = receive_smb(fd, buffer, bufsize, timeout); if (!ret) { @@ -174,7 +175,7 @@ BOOL cli_receive_smb(struct cli_state *cli) if (cli->fd == SOCKET_NULL) return False; - ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); + ret = client_receive_smb(cli->fd, cli->inbuf, cli->bufsize, cli->timeout); if (ret) { /* it might be an oplock break request */ --- libsmb/util_smb_packet.c +++ libsmb/util_smb_packet.c @@ -363,10 +363,17 @@ ssize_t read_smb_length(Socket fd, char *inbuf, unsigned int timeout) * This function will return on a * receipt of a session keepalive packet. */ -BOOL receive_smb(Socket fd, char *buffer, unsigned int timeout) +BOOL receive_smb(Socket fd, char *buffer, size_t bufsize, unsigned int timeout) { ssize_t len, ret; + if (bufsize <= 4) + { + DEBUG(0, ("receive_smb buffer <= 4 bytes\n")); + return False; + } + bufsize -= 4; + smb_read_error = 0; memset(buffer, '\0', smb_size + 100); @@ -378,13 +385,10 @@ BOOL receive_smb(Socket fd, char *buffer, unsigned int timeout) return (False); } - if (len > BUFFER_SIZE) + if (len > bufsize) { DEBUG(0, ("Invalid packet length! (%d bytes).\n", len)); - if (len > BUFFER_SIZE + (SAFETY_MARGIN / 2)) - { - exit(1); - } + return False; } if (len > 0) --- rpc_client/cli_use.c +++ rpc_client/cli_use.c @@ -533,7 +533,7 @@ void cli_use_wait_keyboard(void) continue; fd = clis[i]->cli->fd; if (FD_ISSET(fd, &fds)) - receive_smb(fd, clis[i]->cli->inbuf, 0); + receive_smb(fd, clis[i]->cli->inbuf, clis[i]->cli->bufsize, 0); } } } --- smbd/oplock.c +++ smbd/oplock.c @@ -29,6 +29,8 @@ #include "tng_misc.h" +#define OPLOCK_SMB_BUFSIZE (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE) + /* Oplock ipc UDP socket. */ static int oplock_sock = -1; uint16 global_oplock_port = 0; @@ -712,14 +714,14 @@ static BOOL oplock_break(SMB_DEV_T dev, SMB_INO_T inode, struct timeval *tval, B messages crossing on the wire. */ - inbuf = g_new(char, BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); + inbuf = g_new(char, OPLOCK_SMB_BUFSIZE + SAFETY_MARGIN); if (! inbuf) { DEBUG(0,("oplock_break: malloc fail for input buffer.\n")); return False; } - outbuf = g_new(char, BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); + outbuf = g_new(char, OPLOCK_SMB_BUFSIZE + SAFETY_MARGIN); if (! outbuf) { DEBUG(0,("oplock_break: malloc fail for output buffer.\n")); @@ -789,7 +791,7 @@ static BOOL oplock_break(SMB_DEV_T dev, SMB_INO_T inode, struct timeval *tval, B while((fsp = initial_break_processing(dev, inode, tval)) && OPEN_FSP(fsp) && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { - if(receive_smb(smbd_server_fd(),inbuf, timeout) == False) + if(receive_smb(smbd_server_fd(), inbuf, OPLOCK_SMB_BUFSIZE, timeout) == False) { /* * Die if we got an error. --- smbd/process.c +++ smbd/process.c @@ -239,7 +239,7 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, } *got_smb = True; - return receive_smb(smbd_server_fd(), buffer, 0); + return receive_smb(smbd_server_fd(), buffer, buffer_len, 0); } /**************************************************************************** --- utils/smb-agent.c +++ utils/smb-agent.c @@ -214,7 +214,7 @@ static BOOL process_cli_sock(struct sock_redir **socks, uint32 num_socks, } else { - if (!receive_smb(sock->c, packet, 0)) + if (!receive_smb(sock->c, packet, BUFFER_SIZE, 0)) { DEBUG(0, ("client closed connection\n")); return False; @@ -251,7 +251,7 @@ static BOOL process_srv_sock(struct sock_redir **socks, uint32 num_socks, { int smbmid; int i; - if (!receive_smb(fd, packet, 0)) + if (!receive_smb(fd, packet, BUFFER_SIZE, 0)) { DEBUG(0, ("server closed connection\n")); return False; --- utils/smbfilter.c +++ utils/smbfilter.c @@ -125,7 +125,7 @@ static void filter_child(int c, struct in_addr dest_ip) if (num <= 0) continue; if (c != -1 && FD_ISSET(c, &fds)) { - if (!receive_smb(c, packet, 0)) { + if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { DEBUG(0,("client closed connection\n")); exit(0); } @@ -136,7 +136,7 @@ static void filter_child(int c, struct in_addr dest_ip) } } if (s != -1 && FD_ISSET(s, &fds)) { - if (!receive_smb(s, packet, 0)) { + if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { DEBUG(0,("server closed connection\n")); exit(0); }