Re: SMBFS panic: malloc: wrong bucket (was: 4.3-20010721-STABLE)

Fri, 03 Aug 2001 16:02:20 -0700 

On Wed, 25 Jul 2001, Tim Zingelman wrote:

> This is a known bug, but not fixed.  I worked with the maintainer, Boris
> Popov on it a little, but in my case it took some time between the mount
> and the panic, and I was not able to give him login access to the
> machines involved.  As a result it remains unfixed.  If you have a case
> that panics immediately and can work with him, I think he would be
> interested in getting this fixed.  (I know I would :)

        Please try the attached patch. It fixes a nasty buffer overflow
which may cause this panic.

> > I'd recommend contacting the smbfs maintainer. It seems the kernel
> > module for smbfs is now integrated into the main sources, but you
> > still need to install a port. So I'm guessing it's now in some sort of
> > transitional status (and thus quite unstable).

        Hear, hear :) All userland code for smbfs was planned to be
included before 4.4 comes out. But, life is life - it has its own plans,
and I hope to finish import after 4.4...

--
Boris Popov
http://www.butya.kz/~bp/

Index: smb.h
===================================================================
RCS file: /home/ncvs/src/sys/netsmb/smb.h,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 smb.h
--- smb.h       2001/05/22 08:32:33     1.1.2.1
+++ smb.h       2001/08/03 13:32:25
@@ -68,7 +68,7 @@
  */
 #define        SMB_SIGNATURE           "\xFFSMB"
 #define        SMB_SIGLEN              4
-#define        SMB_HDRMID(p)           (*(u_short*)((u_char*)(p) + 30))
+#define        SMB_HDRMID(p)           (letohs(*(u_short*)((u_char*)(p) + 30)))
 #define        SMB_HDRLEN              32
 /*
  * bits in the smb_flags field
Index: smb_crypt.c
===================================================================
RCS file: /home/ncvs/src/sys/netsmb/smb_crypt.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 smb_crypt.c
--- smb_crypt.c 2001/05/22 08:32:33     1.1.2.1
+++ smb_crypt.c 2001/08/03 13:32:25
@@ -120,7 +120,7 @@
        int len;
 
        len = strlen(apwd);
-       unipwd = malloc(len * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
+       unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
        /*
         * S21 = concat(MD4(U(apwd)), zeros(5));
         */
Index: smb_rq.c
===================================================================
RCS file: /home/ncvs/src/sys/netsmb/smb_rq.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 smb_rq.c
--- smb_rq.c    2001/05/22 08:32:33     1.1.2.1
+++ smb_rq.c    2001/08/03 13:32:25
@@ -238,7 +238,7 @@
        bcnt = rqp->sr_rq.mb_count;
        if (bcnt > 0xffff)
                SMBERROR("byte count too large (%d)\n", bcnt);
-       *rqp->sr_bcount = bcnt;
+       *rqp->sr_bcount = htoles(bcnt);
 }
 
 int

Reply via email to