Lines 571-577
Link Here
|
571 |
parm_disp, parm_offset, parm_count, |
571 |
parm_disp, parm_offset, parm_count, |
572 |
data_disp, data_offset, data_count); |
572 |
data_disp, data_offset, data_count); |
573 |
*parm = base + parm_offset; |
573 |
*parm = base + parm_offset; |
|
|
574 |
if (*parm - inbuf + parm_tot > server->packet_size) |
575 |
goto out_bad_parm; |
574 |
*data = base + data_offset; |
576 |
*data = base + data_offset; |
|
|
577 |
if (*data - inbuf + data_tot > server->packet_size) |
578 |
goto out_bad_data; |
575 |
goto success; |
579 |
goto success; |
576 |
} |
580 |
} |
577 |
|
581 |
|
Lines 591-596
Link Here
|
591 |
rcv_buf = smb_vmalloc(buf_len); |
595 |
rcv_buf = smb_vmalloc(buf_len); |
592 |
if (!rcv_buf) |
596 |
if (!rcv_buf) |
593 |
goto out_no_mem; |
597 |
goto out_no_mem; |
|
|
598 |
memset(rcv_buf, 0, buf_len); |
599 |
|
594 |
*parm = rcv_buf; |
600 |
*parm = rcv_buf; |
595 |
*data = rcv_buf + total_p; |
601 |
*data = rcv_buf + total_p; |
596 |
} else if (data_tot > total_d || parm_tot > total_p) |
602 |
} else if (data_tot > total_d || parm_tot > total_p) |
Lines 598-605
Link Here
|
598 |
|
604 |
|
599 |
if (parm_disp + parm_count > total_p) |
605 |
if (parm_disp + parm_count > total_p) |
600 |
goto out_bad_parm; |
606 |
goto out_bad_parm; |
|
|
607 |
if (parm_offset + parm_count > server->packet_size) |
608 |
goto out_bad_parm; |
601 |
if (data_disp + data_count > total_d) |
609 |
if (data_disp + data_count > total_d) |
602 |
goto out_bad_data; |
610 |
goto out_bad_data; |
|
|
611 |
if (data_offset + data_count > server->packet_size) |
612 |
goto out_bad_data; |
603 |
memcpy(*parm + parm_disp, base + parm_offset, parm_count); |
613 |
memcpy(*parm + parm_disp, base + parm_offset, parm_count); |
604 |
memcpy(*data + data_disp, base + data_offset, data_count); |
614 |
memcpy(*data + data_disp, base + data_offset, data_count); |
605 |
|
615 |
|
Lines 610-617
Link Here
|
610 |
* Check whether we've received all of the data. Note that |
620 |
* Check whether we've received all of the data. Note that |
611 |
* we use the packet totals -- total lengths might shrink! |
621 |
* we use the packet totals -- total lengths might shrink! |
612 |
*/ |
622 |
*/ |
613 |
if (data_len >= data_tot && parm_len >= parm_tot) |
623 |
if (data_len >= data_tot && parm_len >= parm_tot) { |
|
|
624 |
data_len = data_tot; |
625 |
parm_len = parm_tot; |
614 |
break; |
626 |
break; |
|
|
627 |
} |
615 |
} |
628 |
} |
616 |
|
629 |
|
617 |
/* |
630 |
/* |
Lines 625-630
Link Here
|
625 |
server->packet = rcv_buf; |
638 |
server->packet = rcv_buf; |
626 |
rcv_buf = inbuf; |
639 |
rcv_buf = inbuf; |
627 |
} else { |
640 |
} else { |
|
|
641 |
if (parm_len + data_len > buf_len) |
642 |
goto out_data_grew; |
643 |
|
628 |
PARANOIA("copying data, old size=%d, new size=%u\n", |
644 |
PARANOIA("copying data, old size=%d, new size=%u\n", |
629 |
server->packet_size, buf_len); |
645 |
server->packet_size, buf_len); |
630 |
memcpy(inbuf, rcv_buf, parm_len + data_len); |
646 |
memcpy(inbuf, rcv_buf, parm_len + data_len); |