Date: Fri, 3 Aug 2001 22:04:37 +0700 (ALMST) From: Boris Popov <bp@butya.kz> To: Tim Zingelman <zingelman@fnal.gov> Cc: Dimitry Andric <dim@xs4all.nl>, James Satterfield <jsatterfield@intertrust.com>, stable@FreeBSD.ORG Subject: Re: SMBFS panic: malloc: wrong bucket (was: 4.3-20010721-STABLE) Message-ID: <Pine.BSF.4.21.0108032156380.47860-200000@lion.butya.kz> In-Reply-To: <Pine.GSO.4.30.0107250904080.6429-100000@nova.fnal.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, 25 Jul 2001, Tim Zingelman wrote: > This is a known bug, but not fixed. I worked with the maintainer, Boris > Popov on it a little, but in my case it took some time between the mount > and the panic, and I was not able to give him login access to the > machines involved. As a result it remains unfixed. If you have a case > that panics immediately and can work with him, I think he would be > interested in getting this fixed. (I know I would :) Please try the attached patch. It fixes a nasty buffer overflow which may cause this panic. > > I'd recommend contacting the smbfs maintainer. It seems the kernel > > module for smbfs is now integrated into the main sources, but you > > still need to install a port. So I'm guessing it's now in some sort of > > transitional status (and thus quite unstable). Hear, hear :) All userland code for smbfs was planned to be included before 4.4 comes out. But, life is life - it has its own plans, and I hope to finish import after 4.4... -- Boris Popov http://www.butya.kz/~bp/ [-- Attachment #2 --] Index: smb.h =================================================================== RCS file: /home/ncvs/src/sys/netsmb/smb.h,v retrieving revision 1.1.2.1 diff -u -r1.1.2.1 smb.h --- smb.h 2001/05/22 08:32:33 1.1.2.1 +++ smb.h 2001/08/03 13:32:25 @@ -68,7 +68,7 @@ */ #define SMB_SIGNATURE "\xFFSMB" #define SMB_SIGLEN 4 -#define SMB_HDRMID(p) (*(u_short*)((u_char*)(p) + 30)) +#define SMB_HDRMID(p) (letohs(*(u_short*)((u_char*)(p) + 30))) #define SMB_HDRLEN 32 /* * bits in the smb_flags field Index: smb_crypt.c =================================================================== RCS file: /home/ncvs/src/sys/netsmb/smb_crypt.c,v retrieving revision 1.1.2.1 diff -u -r1.1.2.1 smb_crypt.c --- smb_crypt.c 2001/05/22 08:32:33 1.1.2.1 +++ smb_crypt.c 2001/08/03 13:32:25 @@ -120,7 +120,7 @@ int len; len = strlen(apwd); - unipwd = malloc(len * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK); + unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK); /* * S21 = concat(MD4(U(apwd)), zeros(5)); */ Index: smb_rq.c =================================================================== RCS file: /home/ncvs/src/sys/netsmb/smb_rq.c,v retrieving revision 1.1.2.1 diff -u -r1.1.2.1 smb_rq.c --- smb_rq.c 2001/05/22 08:32:33 1.1.2.1 +++ smb_rq.c 2001/08/03 13:32:25 @@ -238,7 +238,7 @@ bcnt = rqp->sr_rq.mb_count; if (bcnt > 0xffff) SMBERROR("byte count too large (%d)\n", bcnt); - *rqp->sr_bcount = bcnt; + *rqp->sr_bcount = htoles(bcnt); } int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108032156380.47860-200000>