STABLE14-windows-afsd-minor-20050330

Add bounds checking to the comparison of fid->vnode and cm_localMountPoints when Freelance mode is used. Fix typo in DJGPP section of smb.c Use rx_connection * instead of rx_call * in previous fix to cm_dcache.c (cherry picked from commit 0a9609d8eb599dfe11ff04d8752e15b58c3ef89d)
2025-02-01 14:07:39 +00:00 · 2005-03-31 07:05:47 +00:00 · 2005-03-31 07:05:47 +00:00 · b9e4c1bb4d
commit b9e4c1bb4d
parent 3ed69d2cbd
4 changed files with 22 additions and 16 deletions
--- a/src/WINNT/afsd/cm_dcache.c
+++ b/src/WINNT/afsd/cm_dcache.c
@ -55,7 +55,8 @@ long cm_BufWrite(void *vfidp, osi_hyper_t *offsetp, long length, long flags,
    osi_hyper_t thyper;
    AFSVolSync volSync;
    AFSFid tfid;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;
    osi_queueData_t *qdp;
    cm_buf_t *bufp;
    long wbytes;
@ -129,9 +130,9 @@ long cm_BufWrite(void *vfidp, osi_hyper_t *offsetp, long length, long flags,
        if (code) 
            continue;
 		
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);

        osi_Log3(afsd_logp, "CALL StoreData scp 0x%x, off 0x%x, size 0x%x",
                 (long) scp, biod.offset.LowPart, nbytes);
@ -238,7 +239,8 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
    long code;
    long truncPos;
    cm_conn_t *connp;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;

    /* Serialize StoreData RPC's; for rationale see cm_scache.c */
    (void) cm_SyncOp(scp, NULL, userp, reqp, 0,
@ -266,9 +268,9 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
        if (code) 
            continue;
 		
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);

        code = StartRXAFS_StoreData(callp, &tfid, &inStatus,
                                    0, 0, truncPos);
@ -1120,7 +1122,8 @@ long cm_GetBuffer(cm_scache_t *scp, cm_buf_t *bufp, int *cpffp, cm_user_t *up,
    cm_buf_t *tbufp;		/* buf we're filling */
    osi_queueData_t *qdp;		/* q element we're scanning */
    AFSFid tfid;
-    struct rx_call *oldCallp, *callp;
+    struct rx_call *callp;
+    struct rx_connection *rxconnp;
    cm_bulkIO_t biod;		/* bulk IO descriptor */
    cm_conn_t *connp;
    int getroot;
@ -1252,9 +1255,9 @@ long cm_GetBuffer(cm_scache_t *scp, cm_buf_t *bufp, int *cpffp, cm_user_t *up,
        if (code) 
            continue;
 	
-        oldCallp = cm_GetRxConn(connp);
-        callp = rx_NewCall(oldCallp);
-        rx_PutConnection(oldCallp);
+        rxconnp = cm_GetRxConn(connp);
+        callp = rx_NewCall(rxconnp);
+        rx_PutConnection(rxconnp);

        osi_Log3(afsd_logp, "CALL FetchData vp %x, off 0x%x, size 0x%x",
                  (long) scp, biod.offset.LowPart, biod.length);
--- a/src/WINNT/afsd/cm_scache.c
+++ b/src/WINNT/afsd/cm_scache.c
@ -412,7 +412,7 @@ long cm_GetSCache(cm_fid_t *fidp, cm_scache_t **outScpp, cm_user_t *userp,
 	  
    if (cm_freelanceEnabled && special) {
        osi_Log0(afsd_logp,"cm_getSCache Freelance and special");
-        if (fidp->vnode > 1) {
+        if (fidp->vnode > 1 && fidp->vnode <= cm_localMountPoints + 2) {
 	    lock_ObtainMutex(&cm_Freelance_Lock);
            mp =(cm_localMountPoints+fidp->vnode-2)->mountPointStringp;
            lock_ReleaseMutex(&cm_Freelance_Lock);
@ -432,7 +432,10 @@ long cm_GetSCache(cm_fid_t *fidp, cm_scache_t **outScpp, cm_user_t *userp,
        cm_data.hashTablep[hash]=scp;
        scp->flags |= CM_SCACHEFLAG_INHASH;
        scp->refCount = 1;
-        scp->fileType = (cm_localMountPoints+fidp->vnode-2)->fileType;
+        if (fidp->vnode > 1 && fidp->vnode <= cm_localMountPoints + 2)
+            scp->fileType = (cm_localMountPoints+fidp->vnode-2)->fileType;
+        else 
+            scp->fileType = CM_SCACHETYPE_INVALID;

        lock_ObtainMutex(&cm_Freelance_Lock);
        scp->length.LowPart = strlen(mp)+4;
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@ -7272,7 +7272,7 @@ void smb_Server(VOID *parmp)
        "bufp=0x%x\n",
        bufp->dos_pkt / 16, bufp);*/
        fflush(stderr);
-        dosmemget(bufp->dos_pkt, ncbp-d>ncb_length, bufp->data);
+        dosmemget(bufp->dos_pkt, ncbp->ncb_length, bufp->data);
 #endif /* DJGPP */
        smbp = (smb_t *)bufp->data;
        outbufp->flags = 0;