diff options
| author | Volker Lendecke <vlendec@samba.org> | 2006-05-27 21:38:54 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:17:13 -0500 |
| commit | c24bfdce625782637b5f4d11a5117ef795ddfc2f (patch) | |
| tree | 302231155cccaa242acf14c46ccd51ac9617a561 /source/smbd | |
| parent | 09f3c7a86f931371dc6f886edccc15d3f5437d34 (diff) | |
| download | samba-c24bfdce625782637b5f4d11a5117ef795ddfc2f.tar.gz | |
r15911: Make us survive rpc-authcontext committed next
Diffstat (limited to 'source/smbd')
| -rw-r--r-- | source/smbd/ipc.c | 6 | ||||
| -rw-r--r-- | source/smbd/pipes.c | 10 |
2 files changed, 16 insertions, 0 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 7f9505606cc..32503879099 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -291,6 +291,12 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, return ERROR_NT(NT_STATUS_INVALID_HANDLE); } + if (vuid != p->vuid) { + DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, " + "expected %d\n", pnum, vuid, p->vuid)); + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n", subcommand, p->name, pnum)); /* record maximum data length that can be transmitted in an SMBtrans */ diff --git a/source/smbd/pipes.c b/source/smbd/pipes.c index 12f3d180b1e..2d90383706b 100644 --- a/source/smbd/pipes.c +++ b/source/smbd/pipes.c @@ -121,6 +121,7 @@ int reply_open_pipe_and_X(connection_struct *conn, int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) { smb_np_struct *p = get_rpc_pipe_p(inbuf,smb_vwv0); + uint16 vuid = SVAL(inbuf,smb_uid); size_t numtowrite = SVAL(inbuf,smb_vwv1); int nwritten; int outsize; @@ -130,6 +131,10 @@ int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) return(ERROR_DOS(ERRDOS,ERRbadfid)); } + if (p->vuid != vuid) { + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + data = smb_buf(inbuf) + 3; if (numtowrite == 0) { @@ -161,6 +166,7 @@ int reply_pipe_write(char *inbuf,char *outbuf,int length,int dum_bufsize) int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) { smb_np_struct *p = get_rpc_pipe_p(inbuf,smb_vwv2); + uint16 vuid = SVAL(inbuf,smb_uid); size_t numtowrite = SVAL(inbuf,smb_vwv10); int nwritten = -1; int smb_doff = SVAL(inbuf, smb_vwv11); @@ -172,6 +178,10 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) return(ERROR_DOS(ERRDOS,ERRbadfid)); } + if (p->vuid != vuid) { + return ERROR_NT(NT_STATUS_INVALID_HANDLE); + } + data = smb_base(inbuf) + smb_doff; if (numtowrite == 0) { |