Commit e7ce75bf authored by Colin Granville's avatar Colin Granville Committed by ROOL
Browse files

Limit n_names to fit in unsigned short

Detail:
n_names in Func_ReadDir1 can be larger than an unsigned short
which cause problems when cast to an unsigned short for SMB
notably 7Backup would go into an infinite loop.

Other parameters to Func_ReadDir1 sanity checked.

Admin:
Tested with 7Backup from 7thSoftware and compiling and cleaning
OmniLanManFS sources over LanManFS

Version 2.65. Tagged as 'OmniLanManFS-2_65'
parent 343b54e4
/* (2.64) /* (2.65)
* *
* This file is automatically maintained by srccommit, do not edit manually. * This file is automatically maintained by srccommit, do not edit manually.
* *
*/ */
#define Module_MajorVersion_CMHG 2.64 #define Module_MajorVersion_CMHG 2.65
#define Module_MinorVersion_CMHG #define Module_MinorVersion_CMHG
#define Module_Date_CMHG 16 May 2020 #define Module_Date_CMHG 11 Jul 2020
#define Module_MajorVersion "2.64" #define Module_MajorVersion "2.65"
#define Module_Version 264 #define Module_Version 265
#define Module_MinorVersion "" #define Module_MinorVersion ""
#define Module_Date "16 May 2020" #define Module_Date "11 Jul 2020"
#define Module_ApplicationDate "16-May-20" #define Module_ApplicationDate "11-Jul-20"
#define Module_ComponentName "OmniLanManFS" #define Module_ComponentName "OmniLanManFS"
#define Module_FullVersion "2.64" #define Module_FullVersion "2.65"
#define Module_HelpVersion "2.64 (16 May 2020)" #define Module_HelpVersion "2.65 (11 Jul 2020)"
#define Module_LibraryVersionInfo "2:64" #define Module_LibraryVersionInfo "2:65"
...@@ -189,6 +189,14 @@ static err_t Func_ReadDir1 ( int reason, char *path_name, char *buffer, ...@@ -189,6 +189,14 @@ static err_t Func_ReadDir1 ( int reason, char *path_name, char *buffer,
static SMBFind_t smbfind; static SMBFind_t smbfind;
err_t res; err_t res;
if (n_names == 0 || dir_offset == -1 || buffer == NULL || buflen <= 0)
{
*pOutNread = 0;
*pOutNextOffset = -1;
return OK;
}
if ((unsigned int) n_names > 0xfffd) n_names = 0xfffd; /* limit large n_names to unsigned short - ensure adding 2 doesn't overflow */
RD_Reason = reason; RD_Reason = reason;
RD_BufPtr = buffer; RD_BufPtr = buffer;
RD_BufLen = buflen; RD_BufLen = buflen;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment