|
Lines 571-577
Link Here
|
| 571 |
parm_disp, parm_offset, parm_count, |
571 |
parm_disp, parm_offset, parm_count, |
| 572 |
data_disp, data_offset, data_count); |
572 |
data_disp, data_offset, data_count); |
| 573 |
*parm = base + parm_offset; |
573 |
*parm = base + parm_offset; |
|
|
574 |
if (*parm - inbuf + parm_tot > server->packet_size) |
| 575 |
goto out_bad_parm; |
| 574 |
*data = base + data_offset; |
576 |
*data = base + data_offset; |
|
|
577 |
if (*data - inbuf + data_tot > server->packet_size) |
| 578 |
goto out_bad_data; |
| 575 |
goto success; |
579 |
goto success; |
| 576 |
} |
580 |
} |
| 577 |
|
581 |
|
|
Lines 591-596
Link Here
|
| 591 |
rcv_buf = smb_vmalloc(buf_len); |
595 |
rcv_buf = smb_vmalloc(buf_len); |
| 592 |
if (!rcv_buf) |
596 |
if (!rcv_buf) |
| 593 |
goto out_no_mem; |
597 |
goto out_no_mem; |
|
|
598 |
memset(rcv_buf, 0, buf_len); |
| 599 |
|
| 594 |
*parm = rcv_buf; |
600 |
*parm = rcv_buf; |
| 595 |
*data = rcv_buf + total_p; |
601 |
*data = rcv_buf + total_p; |
| 596 |
} else if (data_tot > total_d || parm_tot > total_p) |
602 |
} else if (data_tot > total_d || parm_tot > total_p) |
|
Lines 598-605
Link Here
|
| 598 |
|
604 |
|
| 599 |
if (parm_disp + parm_count > total_p) |
605 |
if (parm_disp + parm_count > total_p) |
| 600 |
goto out_bad_parm; |
606 |
goto out_bad_parm; |
|
|
607 |
if (parm_offset + parm_count > server->packet_size) |
| 608 |
goto out_bad_parm; |
| 601 |
if (data_disp + data_count > total_d) |
609 |
if (data_disp + data_count > total_d) |
| 602 |
goto out_bad_data; |
610 |
goto out_bad_data; |
|
|
611 |
if (data_offset + data_count > server->packet_size) |
| 612 |
goto out_bad_data; |
| 603 |
memcpy(*parm + parm_disp, base + parm_offset, parm_count); |
613 |
memcpy(*parm + parm_disp, base + parm_offset, parm_count); |
| 604 |
memcpy(*data + data_disp, base + data_offset, data_count); |
614 |
memcpy(*data + data_disp, base + data_offset, data_count); |
| 605 |
|
615 |
|
|
Lines 610-617
Link Here
|
| 610 |
* Check whether we've received all of the data. Note that |
620 |
* Check whether we've received all of the data. Note that |
| 611 |
* we use the packet totals -- total lengths might shrink! |
621 |
* we use the packet totals -- total lengths might shrink! |
| 612 |
*/ |
622 |
*/ |
| 613 |
if (data_len >= data_tot && parm_len >= parm_tot) |
623 |
if (data_len >= data_tot && parm_len >= parm_tot) { |
|
|
624 |
data_len = data_tot; |
| 625 |
parm_len = parm_tot; |
| 614 |
break; |
626 |
break; |
|
|
627 |
} |
| 615 |
} |
628 |
} |
| 616 |
|
629 |
|
| 617 |
/* |
630 |
/* |
|
Lines 625-630
Link Here
|
| 625 |
server->packet = rcv_buf; |
638 |
server->packet = rcv_buf; |
| 626 |
rcv_buf = inbuf; |
639 |
rcv_buf = inbuf; |
| 627 |
} else { |
640 |
} else { |
|
|
641 |
if (parm_len + data_len > buf_len) |
| 642 |
goto out_data_grew; |
| 643 |
|
| 628 |
PARANOIA("copying data, old size=%d, new size=%u\n", |
644 |
PARANOIA("copying data, old size=%d, new size=%u\n", |
| 629 |
server->packet_size, buf_len); |
645 |
server->packet_size, buf_len); |
| 630 |
memcpy(inbuf, rcv_buf, parm_len + data_len); |
646 |
memcpy(inbuf, rcv_buf, parm_len + data_len); |
