Fix misalignment bugs caused by invalid type casts of pointers
returned by md_reserve(). Space reserved by mb_reserve() is byte aligned and need to be used in conjunction with le16enc() and le32enc(). Tested on: ia64
This commit is contained in:
Marcel Moolenaar
parent
c68ea28fe1
commit
a6a4232f96
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=161523
@ -241,8 +241,8 @@ smb_rq_sign(struct smb_rq *rqp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Initialize sec. signature field to sequence number + zeros. */
|
/* Initialize sec. signature field to sequence number + zeros. */
|
||||||
*(u_int32_t *)rqp->sr_rqsig = htole32(rqp->sr_seqno);
|
le32enc(rqp->sr_rqsig, rqp->sr_seqno);
|
||||||
*(u_int32_t *)(rqp->sr_rqsig + 4) = 0;
|
le32enc(rqp->sr_rqsig + 4, 0);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Compute HMAC-MD5 of packet data, keyed by MAC key.
|
* Compute HMAC-MD5 of packet data, keyed by MAC key.
|
||||||
|
|||||||
@ -244,8 +244,8 @@ smb_iod_sendrq(struct smbiod *iod, struct smb_rq *rqp)
|
|||||||
if (vcp->vc_maxmux != 0 && iod->iod_muxcnt >= vcp->vc_maxmux)
|
if (vcp->vc_maxmux != 0 && iod->iod_muxcnt >= vcp->vc_maxmux)
|
||||||
return 0;
|
return 0;
|
||||||
#endif
|
#endif
|
||||||
*rqp->sr_rqtid = htole16(ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
|
le16enc(rqp->sr_rqtid, ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
|
||||||
*rqp->sr_rquid = htole16(vcp ? vcp->vc_smbuid : 0);
|
le16enc(rqp->sr_rquid, vcp ? vcp->vc_smbuid : 0);
|
||||||
mb_fixhdr(&rqp->sr_rq);
|
mb_fixhdr(&rqp->sr_rq);
|
||||||
if (vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE)
|
if (vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE)
|
||||||
smb_rq_sign(rqp);
|
smb_rq_sign(rqp);
|
||||||
|
|||||||
@ -141,9 +141,9 @@ smb_rq_new(struct smb_rq *rqp, u_char cmd)
|
|||||||
rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8);
|
rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8);
|
||||||
mb_put_uint16le(mbp, 0);
|
mb_put_uint16le(mbp, 0);
|
||||||
}
|
}
|
||||||
rqp->sr_rqtid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
|
rqp->sr_rqtid = mb_reserve(mbp, sizeof(u_int16_t));
|
||||||
mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/);
|
mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/);
|
||||||
rqp->sr_rquid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
|
rqp->sr_rquid = mb_reserve(mbp, sizeof(u_int16_t));
|
||||||
mb_put_uint16le(mbp, rqp->sr_mid);
|
mb_put_uint16le(mbp, rqp->sr_mid);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -239,7 +239,7 @@ smb_rq_wend(struct smb_rq *rqp)
|
|||||||
void
|
void
|
||||||
smb_rq_bstart(struct smb_rq *rqp)
|
smb_rq_bstart(struct smb_rq *rqp)
|
||||||
{
|
{
|
||||||
rqp->sr_bcount = (u_short*)mb_reserve(&rqp->sr_rq, sizeof(u_short));
|
rqp->sr_bcount = mb_reserve(&rqp->sr_rq, sizeof(u_short));
|
||||||
rqp->sr_rq.mb_count = 0;
|
rqp->sr_rq.mb_count = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -255,7 +255,7 @@ smb_rq_bend(struct smb_rq *rqp)
|
|||||||
bcnt = rqp->sr_rq.mb_count;
|
bcnt = rqp->sr_rq.mb_count;
|
||||||
if (bcnt > 0xffff)
|
if (bcnt > 0xffff)
|
||||||
SMBERROR("byte count too large (%d)\n", bcnt);
|
SMBERROR("byte count too large (%d)\n", bcnt);
|
||||||
*rqp->sr_bcount = htole16(bcnt);
|
le16enc(rqp->sr_bcount, bcnt);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|||||||
@ -82,7 +82,7 @@ struct smb_rq {
|
|||||||
u_int8_t sr_rqflags;
|
u_int8_t sr_rqflags;
|
||||||
u_int16_t sr_rqflags2;
|
u_int16_t sr_rqflags2;
|
||||||
u_char * sr_wcount;
|
u_char * sr_wcount;
|
||||||
u_short * sr_bcount;
|
void * sr_bcount; /* Points to 2-byte buffer. */
|
||||||
struct mdchain sr_rp;
|
struct mdchain sr_rp;
|
||||||
int sr_rpgen;
|
int sr_rpgen;
|
||||||
int sr_rplast;
|
int sr_rplast;
|
||||||
@ -95,8 +95,8 @@ struct smb_rq {
|
|||||||
struct timespec sr_timesent;
|
struct timespec sr_timesent;
|
||||||
int sr_lerror;
|
int sr_lerror;
|
||||||
u_int8_t * sr_rqsig;
|
u_int8_t * sr_rqsig;
|
||||||
u_int16_t * sr_rqtid;
|
void * sr_rqtid; /* Points to 2-byte buffer. */
|
||||||
u_int16_t * sr_rquid;
|
void * sr_rquid; /* Points to 2-byte buffer. */
|
||||||
u_int8_t sr_errclass;
|
u_int8_t sr_errclass;
|
||||||
u_int16_t sr_serror;
|
u_int16_t sr_serror;
|
||||||
u_int32_t sr_error;
|
u_int32_t sr_error;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user