diff --git a/openwrt/package/samba/Makefile b/openwrt/package/samba/Makefile index 584ed9a044..2d9defc343 100644 --- a/openwrt/package/samba/Makefile +++ b/openwrt/package/samba/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=samba PKG_VERSION:=2.0.10 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MD5SUM:=54870482fe036b7e69dd48c90661eec6 PKG_SOURCE_URL:=ftp://se.samba.org/pub/samba/stable \ diff --git a/openwrt/package/samba/patches/100-samba.patch b/openwrt/package/samba/patches/100-samba.patch index 3d41af78e1..3bfeed3596 100644 --- a/openwrt/package/samba/patches/100-samba.patch +++ b/openwrt/package/samba/patches/100-samba.patch @@ -1,6 +1,6 @@ -diff -ur samba-2.0.10/source/include/smb.h samba/source/include/smb.h ---- samba-2.0.10/source/include/smb.h 2001-06-23 12:52:20.000000000 +0400 -+++ samba/source/include/smb.h 2005-05-21 21:09:03.204222704 +0400 +diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h +--- samba-2.0.10.orig/source/include/smb.h 2001-06-23 10:52:20.000000000 +0200 ++++ samba-2.0.10/source/include/smb.h 2006-03-06 22:21:12.000000000 +0100 @@ -115,6 +115,22 @@ * Usage: * DEBUGADD( 2, ("Some additional text.\n") ); @@ -43,9 +43,9 @@ diff -ur samba-2.0.10/source/include/smb.h samba/source/include/smb.h #define CAP_EXTENDED_SECURITY 0x80000000 /* protocol types. It assumes that higher protocols include lower protocols -diff -ur samba-2.0.10/source/Makefile.in samba/source/Makefile.in ---- samba-2.0.10/source/Makefile.in 2000-03-17 01:57:08.000000000 +0300 -+++ samba/source/Makefile.in 2005-05-21 20:59:57.130238568 +0400 +diff -ruN samba-2.0.10.orig/source/Makefile.in samba-2.0.10/source/Makefile.in +--- samba-2.0.10.orig/source/Makefile.in 2000-03-16 23:57:08.000000000 +0100 ++++ samba-2.0.10/source/Makefile.in 2006-03-06 22:21:12.000000000 +0100 @@ -37,8 +37,8 @@ # set these to where to find various files # These can be overridden by command line switches (see smbd(8)) @@ -172,9 +172,9 @@ diff -ur samba-2.0.10/source/Makefile.in samba/source/Makefile.in -rmdir bin distclean: realclean -diff -ur samba-2.0.10/source/nmbd/nmbd_mynames.c samba/source/nmbd/nmbd_mynames.c ---- samba-2.0.10/source/nmbd/nmbd_mynames.c 2000-03-17 01:59:24.000000000 +0300 -+++ samba/source/nmbd/nmbd_mynames.c 2005-05-21 20:57:26.672111680 +0400 +diff -ruN samba-2.0.10.orig/source/nmbd/nmbd_mynames.c samba-2.0.10/source/nmbd/nmbd_mynames.c +--- samba-2.0.10.orig/source/nmbd/nmbd_mynames.c 2000-03-16 23:59:24.000000000 +0100 ++++ samba-2.0.10/source/nmbd/nmbd_mynames.c 2006-03-06 22:21:12.000000000 +0100 @@ -215,8 +215,8 @@ */ if( !is_refresh_already_queued( subrec, namerec) ) @@ -186,9 +186,9 @@ diff -ur samba-2.0.10/source/nmbd/nmbd_mynames.c samba/source/nmbd/nmbd_mynames. } } } -diff -ur samba-2.0.10/source/smbd/close.c samba/source/smbd/close.c ---- samba-2.0.10/source/smbd/close.c 2000-04-21 21:43:13.000000000 +0400 -+++ samba/source/smbd/close.c 2005-05-21 19:44:59.516979712 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/close.c samba-2.0.10/source/smbd/close.c +--- samba-2.0.10.orig/source/smbd/close.c 2000-04-21 19:43:13.000000000 +0200 ++++ samba-2.0.10/source/smbd/close.c 2006-03-06 22:21:12.000000000 +0100 @@ -122,11 +122,11 @@ last_reference = True; @@ -203,9 +203,9 @@ diff -ur samba-2.0.10/source/smbd/close.c samba/source/smbd/close.c /* check for magic scripts */ if (normal_close) { check_magic(fsp,conn); -diff -ur samba-2.0.10/source/smbd/ipc.c samba/source/smbd/ipc.c ---- samba-2.0.10/source/smbd/ipc.c 2000-03-30 02:20:06.000000000 +0400 -+++ samba/source/smbd/ipc.c 2005-05-21 19:44:59.559973176 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/ipc.c samba-2.0.10/source/smbd/ipc.c +--- samba-2.0.10.orig/source/smbd/ipc.c 2000-03-30 00:20:06.000000000 +0200 ++++ samba-2.0.10/source/smbd/ipc.c 2006-03-06 22:21:12.000000000 +0100 @@ -472,7 +472,7 @@ PACK(desc,t,v); } @@ -290,9 +290,9 @@ diff -ur samba-2.0.10/source/smbd/ipc.c samba/source/smbd/ipc.c {"SamOEMChangePassword", 214, api_SamOEMChangePassword,0}, {NULL, -1, api_Unsupported,0}}; -diff -ur samba-2.0.10/source/smbd/negprot.c samba/source/smbd/negprot.c ---- samba-2.0.10/source/smbd/negprot.c 2000-03-17 01:59:47.000000000 +0300 -+++ samba/source/smbd/negprot.c 2005-05-21 21:09:16.025273608 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/negprot.c samba-2.0.10/source/smbd/negprot.c +--- samba-2.0.10.orig/source/smbd/negprot.c 2000-03-16 23:59:47.000000000 +0100 ++++ samba-2.0.10/source/smbd/negprot.c 2006-03-06 22:21:12.000000000 +0100 @@ -160,7 +160,7 @@ /* dual names + lock_and_read + nt SMBs + remote API calls */ int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ| @@ -302,9 +302,9 @@ diff -ur samba-2.0.10/source/smbd/negprot.c samba/source/smbd/negprot.c /* -diff -ur samba-2.0.10/source/smbd/password.c samba/source/smbd/password.c ---- samba-2.0.10/source/smbd/password.c 2000-03-17 01:59:48.000000000 +0300 -+++ samba/source/smbd/password.c 2005-05-21 19:44:59.562972720 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/password.c samba-2.0.10/source/smbd/password.c +--- samba-2.0.10.orig/source/smbd/password.c 2000-03-16 23:59:48.000000000 +0100 ++++ samba-2.0.10/source/smbd/password.c 2006-03-06 22:21:12.000000000 +0100 @@ -1149,7 +1149,7 @@ return(True); @@ -319,9 +319,9 @@ diff -ur samba-2.0.10/source/smbd/password.c samba/source/smbd/password.c return True; } +#endif -diff -ur samba-2.0.10/source/smbd/process.c samba/source/smbd/process.c ---- samba-2.0.10/source/smbd/process.c 2000-04-15 04:21:27.000000000 +0400 -+++ samba/source/smbd/process.c 2005-05-21 19:44:59.583969528 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/process.c samba-2.0.10/source/smbd/process.c +--- samba-2.0.10.orig/source/smbd/process.c 2000-04-15 02:21:27.000000000 +0200 ++++ samba-2.0.10/source/smbd/process.c 2006-03-06 22:21:12.000000000 +0100 @@ -343,10 +343,12 @@ {SMBlseek,"SMBlseek",reply_lseek,AS_USER}, {SMBflush,"SMBflush",reply_flush,AS_USER}, @@ -353,9 +353,9 @@ diff -ur samba-2.0.10/source/smbd/process.c samba/source/smbd/process.c /* * Check to see if we have any blocking locks * outstanding on the queue. -diff -ur samba-2.0.10/source/smbd/reply.c samba/source/smbd/reply.c ---- samba-2.0.10/source/smbd/reply.c 2001-06-23 12:51:24.000000000 +0400 -+++ samba/source/smbd/reply.c 2005-05-21 19:44:59.628962688 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c +--- samba-2.0.10.orig/source/smbd/reply.c 2001-06-23 10:51:24.000000000 +0200 ++++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:21:12.000000000 +0100 @@ -597,12 +597,12 @@ if (!check_domain_match(orig_user, domain)) @@ -389,9 +389,9 @@ diff -ur samba-2.0.10/source/smbd/reply.c samba/source/smbd/reply.c /**************************************************************************** reply to a mkdir -diff -ur samba-2.0.10/source/smbd/server.c samba/source/smbd/server.c ---- samba-2.0.10/source/smbd/server.c 2000-03-17 01:59:52.000000000 +0300 -+++ samba/source/smbd/server.c 2005-05-21 19:44:59.649959496 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/server.c samba-2.0.10/source/smbd/server.c +--- samba-2.0.10.orig/source/smbd/server.c 2000-03-16 23:59:52.000000000 +0100 ++++ samba-2.0.10/source/smbd/server.c 2006-03-06 22:21:12.000000000 +0100 @@ -300,9 +300,9 @@ lp_killunused(conn_snum_used); @@ -404,9 +404,9 @@ diff -ur samba-2.0.10/source/smbd/server.c samba/source/smbd/server.c /* perhaps the config filename is now set */ if (!test) reload_services(True); -diff -ur samba-2.0.10/source/smbd/service.c samba/source/smbd/service.c ---- samba-2.0.10/source/smbd/service.c 2000-03-17 01:59:52.000000000 +0300 -+++ samba/source/smbd/service.c 2005-05-21 19:44:59.670956304 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/service.c samba-2.0.10/source/smbd/service.c +--- samba-2.0.10.orig/source/smbd/service.c 2000-03-16 23:59:52.000000000 +0100 ++++ samba-2.0.10/source/smbd/service.c 2006-03-06 22:21:12.000000000 +0100 @@ -121,7 +121,7 @@ } } @@ -425,9 +425,9 @@ diff -ur samba-2.0.10/source/smbd/service.c samba/source/smbd/service.c /* just possibly it's a default service? */ if (iService < 0) { -diff -ur samba-2.0.10/source/utils/smbpasswd.c samba/source/utils/smbpasswd.c ---- samba-2.0.10/source/utils/smbpasswd.c 2000-03-17 01:59:57.000000000 +0300 -+++ samba/source/utils/smbpasswd.c 2005-05-21 19:44:59.671956152 +0400 +diff -ruN samba-2.0.10.orig/source/utils/smbpasswd.c samba-2.0.10/source/utils/smbpasswd.c +--- samba-2.0.10.orig/source/utils/smbpasswd.c 2000-03-16 23:59:57.000000000 +0100 ++++ samba-2.0.10/source/utils/smbpasswd.c 2006-03-06 22:21:12.000000000 +0100 @@ -71,7 +71,7 @@ } exit(1); @@ -462,9 +462,9 @@ diff -ur samba-2.0.10/source/utils/smbpasswd.c samba/source/utils/smbpasswd.c /* * Deal with root - can add a user, but only locally. */ -diff -ur samba-2.0.10/source/web/swat.c samba/source/web/swat.c ---- samba-2.0.10/source/web/swat.c 2000-04-11 21:36:36.000000000 +0400 -+++ samba/source/web/swat.c 2005-05-21 19:44:59.692952960 +0400 +diff -ruN samba-2.0.10.orig/source/web/swat.c samba-2.0.10/source/web/swat.c +--- samba-2.0.10.orig/source/web/swat.c 2000-04-11 19:36:36.000000000 +0200 ++++ samba-2.0.10/source/web/swat.c 2006-03-06 22:21:12.000000000 +0100 @@ -357,8 +357,9 @@ return 0; } diff --git a/openwrt/package/samba/patches/200-security.patch b/openwrt/package/samba/patches/200-security.patch index 7fb34f94f2..8e51549e1a 100644 --- a/openwrt/package/samba/patches/200-security.patch +++ b/openwrt/package/samba/patches/200-security.patch @@ -1,7 +1,7 @@ -diff -ur samba-2.0.10/source/include/smb.h samba-2.0.10-security/source/include/smb.h ---- samba-2.0.10/source/include/smb.h 2001-06-23 12:52:20.000000000 +0400 -+++ samba-2.0.10-security/source/include/smb.h 2005-05-21 21:51:17.206995728 +0400 -@@ -256,6 +256,7 @@ +diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h +--- samba-2.0.10.orig/source/include/smb.h 2006-03-06 22:25:08.000000000 +0100 ++++ samba-2.0.10/source/include/smb.h 2006-03-06 22:25:53.000000000 +0100 +@@ -272,6 +272,7 @@ #define ERRlock 33 /* Lock request conflicts with existing lock */ #define ERRunsup 50 /* Request unsupported, returned by Win 95, RJS 20Jun98 */ #define ERRfilexists 80 /* File in operation already exists */ @@ -9,7 +9,7 @@ diff -ur samba-2.0.10/source/include/smb.h samba-2.0.10-security/source/include/ #define ERRcannotopen 110 /* Cannot open the file specified */ #define ERRunknownlevel 124 #define ERRrename 183 -@@ -1893,4 +1894,7 @@ +@@ -1911,4 +1912,7 @@ #define SAFE_NETBIOS_CHARS ". -_" @@ -17,15 +17,15 @@ diff -ur samba-2.0.10/source/include/smb.h samba-2.0.10-security/source/include/ +#define SAFE_FREE(x) do { if ((x) != NULL) {free((x)); (x)=NULL;} } while(0) +#endif #endif /* _SMB_H */ -diff -ur samba-2.0.10/source/include/version.h samba-2.0.10-security/source/include/version.h ---- samba-2.0.10/source/include/version.h 2001-06-23 17:23:59.000000000 +0400 -+++ samba-2.0.10-security/source/include/version.h 2005-05-21 21:51:17.227992536 +0400 +diff -ruN samba-2.0.10.orig/source/include/version.h samba-2.0.10/source/include/version.h +--- samba-2.0.10.orig/source/include/version.h 2001-06-23 15:23:59.000000000 +0200 ++++ samba-2.0.10/source/include/version.h 2006-03-06 22:25:53.000000000 +0100 @@ -1 +1 @@ -#define VERSION "2.0.10" +#define VERSION "2.0.10-security-rollup" -diff -ur samba-2.0.10/source/smbd/filename.c samba-2.0.10-security/source/smbd/filename.c ---- samba-2.0.10/source/smbd/filename.c 2000-03-17 01:59:44.000000000 +0300 -+++ samba-2.0.10-security/source/smbd/filename.c 2005-05-21 21:51:17.403965784 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/filename.c samba-2.0.10/source/smbd/filename.c +--- samba-2.0.10.orig/source/smbd/filename.c 2000-03-16 23:59:44.000000000 +0100 ++++ samba-2.0.10/source/smbd/filename.c 2006-03-06 22:25:53.000000000 +0100 @@ -172,7 +172,7 @@ * StrnCpy always null terminates. */ @@ -35,10 +35,10 @@ diff -ur samba-2.0.10/source/smbd/filename.c samba-2.0.10-security/source/smbd/f if(!case_sensitive) strupper( orig_name ); -diff -ur samba-2.0.10/source/smbd/ipc.c samba-2.0.10-security/source/smbd/ipc.c ---- samba-2.0.10/source/smbd/ipc.c 2000-03-30 02:20:06.000000000 +0400 -+++ samba-2.0.10-security/source/smbd/ipc.c 2005-05-21 21:51:17.269986152 +0400 -@@ -3550,18 +3550,18 @@ +diff -ruN samba-2.0.10.orig/source/smbd/ipc.c samba-2.0.10/source/smbd/ipc.c +--- samba-2.0.10.orig/source/smbd/ipc.c 2006-03-06 22:25:08.000000000 +0100 ++++ samba-2.0.10/source/smbd/ipc.c 2006-03-06 22:25:53.000000000 +0100 +@@ -3556,18 +3556,18 @@ uint16 *setup=NULL; int outsize = 0; uint16 vuid = SVAL(inbuf,smb_uid); @@ -67,7 +67,7 @@ diff -ur samba-2.0.10/source/smbd/ipc.c samba-2.0.10-security/source/smbd/ipc.c memset(name, '\0',sizeof(name)); fstrcpy(name,smb_buf(inbuf)); -@@ -3572,31 +3572,48 @@ +@@ -3578,26 +3578,44 @@ if (tdscnt) { if((data = (char *)malloc(tdscnt)) == NULL) { @@ -117,12 +117,7 @@ diff -ur samba-2.0.10/source/smbd/ipc.c samba-2.0.10-security/source/smbd/ipc.c for (i=0;i data=%d params=%d setup=%d\n", name,tdscnt,tpscnt,suwcnt)); -@@ -3694,4 +3730,12 @@ +@@ -3700,4 +3737,12 @@ return(ERROR(ERRSRV,ERRnosupport)); return(outsize); @@ -216,9 +211,9 @@ diff -ur samba-2.0.10/source/smbd/ipc.c samba-2.0.10-security/source/smbd/ipc.c + SAFE_FREE(setup); + return(ERROR(ERRSRV,ERRerror)); } -diff -ur samba-2.0.10/source/smbd/nttrans.c samba-2.0.10-security/source/smbd/nttrans.c ---- samba-2.0.10/source/smbd/nttrans.c 2000-04-24 21:27:30.000000000 +0400 -+++ samba-2.0.10-security/source/smbd/nttrans.c 2005-05-21 21:51:17.314979312 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/nttrans.c samba-2.0.10/source/smbd/nttrans.c +--- samba-2.0.10.orig/source/smbd/nttrans.c 2000-04-24 19:27:30.000000000 +0200 ++++ samba-2.0.10/source/smbd/nttrans.c 2006-03-06 22:25:53.000000000 +0100 @@ -2575,11 +2575,14 @@ params = (char *)malloc(total_parameter_count); if (total_data_count > 0) @@ -394,9 +389,9 @@ diff -ur samba-2.0.10/source/smbd/nttrans.c samba-2.0.10-security/source/smbd/nt + SAFE_FREE(setup); + return ERROR(ERRDOS,ERRinvalidparam); } -diff -ur samba-2.0.10/source/smbd/password.c samba-2.0.10-security/source/smbd/password.c ---- samba-2.0.10/source/smbd/password.c 2000-03-17 01:59:48.000000000 +0300 -+++ samba-2.0.10-security/source/smbd/password.c 2005-05-21 21:51:17.336975968 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/password.c samba-2.0.10/source/smbd/password.c +--- samba-2.0.10.orig/source/smbd/password.c 2006-03-06 22:25:08.000000000 +0100 ++++ samba-2.0.10/source/smbd/password.c 2006-03-06 22:25:53.000000000 +0100 @@ -770,7 +770,7 @@ if (!ok && lp_username(snum)) { char *auser; @@ -406,9 +401,9 @@ diff -ur samba-2.0.10/source/smbd/password.c samba-2.0.10-security/source/smbd/p pstring_sub(user_list,"%S",lp_servicename(snum)); -diff -ur samba-2.0.10/source/smbd/reply.c samba-2.0.10-security/source/smbd/reply.c ---- samba-2.0.10/source/smbd/reply.c 2001-06-23 12:51:24.000000000 +0400 -+++ samba-2.0.10-security/source/smbd/reply.c 2005-05-21 21:51:17.378969584 +0400 +diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c +--- samba-2.0.10.orig/source/smbd/reply.c 2006-03-06 22:25:08.000000000 +0100 ++++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:25:53.000000000 +0100 @@ -1413,6 +1413,9 @@ for (i=numentries;(i BUFFER_SIZE) { ++ /* ++ * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes ++ * of header. Don't print the error if this fits.... JRA. ++ */ ++ ++ if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { + DEBUG(0,("Invalid packet length! (%d bytes).\n",len)); + if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) +- { + exit(1); + } +- } + + if(len > 0) { + ret = read_socket_data(fd,buffer+4,len); +diff -ruN samba-2.0.10.orig/source/smbd/oplock.c samba-2.0.10/source/smbd/oplock.c +--- samba-2.0.10.orig/source/smbd/oplock.c 2000-04-25 04:32:14.000000000 +0200 ++++ samba-2.0.10/source/smbd/oplock.c 2006-03-06 22:27:31.000000000 +0100 +@@ -887,13 +887,13 @@ + messages crossing on the wire. + */ + +- if((inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL) ++ if((inbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL) + { + DEBUG(0,("oplock_break: malloc fail for input buffer.\n")); + return False; + } + +- if((outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL) ++ if((outbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL) + { + DEBUG(0,("oplock_break: malloc fail for output buffer.\n")); + free(inbuf); +diff -ruN samba-2.0.10.orig/source/smbd/process.c samba-2.0.10/source/smbd/process.c +--- samba-2.0.10.orig/source/smbd/process.c 2006-03-06 22:25:28.000000000 +0100 ++++ samba-2.0.10/source/smbd/process.c 2006-03-06 22:27:31.000000000 +0100 +@@ -995,8 +995,8 @@ + time_t last_timeout_processing_time = time(NULL); + unsigned int num_smbs = 0; + +- InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN); +- OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN); ++ InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); ++ OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN); + if ((InBuffer == NULL) || (OutBuffer == NULL)) + return; + +@@ -1027,7 +1027,7 @@ + /* free up temporary memory */ + lp_talloc_free(); + +- while(!receive_message_or_smb(InBuffer,BUFFER_SIZE,select_timeout,&got_smb)) ++ while(!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout,&got_smb)) + { + if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time)) + return; +diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c +--- samba-2.0.10.orig/source/smbd/reply.c 2006-03-06 22:25:53.000000000 +0100 ++++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:27:31.000000000 +0100 +@@ -2551,17 +2551,28 @@ + size_t numtowrite = SVAL(inbuf,smb_vwv10); + BOOL write_through = BITSETW(inbuf+smb_vwv7,0); + ssize_t nwritten = -1; +- int smb_doff = SVAL(inbuf,smb_vwv11); ++ unsigned int smb_doff = SVAL(inbuf,smb_vwv11); ++ unsigned int smblen = smb_len(inbuf); + char *data; ++ BOOL large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF)); + + /* If it's an IPC, pass off the pipe handler. */ +- if (IS_IPC(conn)) ++ if (IS_IPC(conn)) { + return reply_pipe_write_and_X(inbuf,outbuf,length,bufsize); ++ } + + CHECK_FSP(fsp,conn); + CHECK_WRITE(fsp); + CHECK_ERROR(fsp); + ++ /* Deal with possible LARGE_WRITEX */ ++ if (large_writeX) ++ numtowrite |= ((((size_t)SVAL(inbuf,smb_vwv9)) & 1 )<<16); ++ ++ if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { ++ return(ERROR(ERRDOS,ERRbadmem)); ++ } ++ + data = smb_base(inbuf) + smb_doff; + + if(CVAL(inbuf,smb_wct) == 14) { +@@ -2586,8 +2597,9 @@ + #endif /* LARGE_SMB_OFF_T */ + } + +- if (is_locked(fsp,conn,numtowrite,startpos, F_WRLCK)) ++ if (is_locked(fsp,conn,(SMB_BIG_UINT)numtowrite,(SMB_BIG_UINT)startpos, WRITE_LOCK)) { + return(ERROR(ERRDOS,ERRlock)); ++ } + + /* X/Open SMB protocol says that, unlike SMBwrite + if the length is zero then NO truncation is +@@ -2598,12 +2610,15 @@ + else + nwritten = write_file(fsp,data,startpos,numtowrite); + +- if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) ++ if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { + return(UNIXERROR(ERRDOS,ERRnoaccess)); ++ } + + set_message(outbuf,6,0,True); + + SSVAL(outbuf,smb_vwv2,nwritten); ++ if (large_writeX) ++ SSVAL(outbuf,smb_vwv4,(nwritten>>16)&1); + + if (nwritten < (ssize_t)numtowrite) { + CVAL(outbuf,smb_rcls) = ERRHRD;