mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 04:43:53 +00:00
Fix misalignment bugs caused by invalid type casts of pointers
returned by md_reserve(). Space reserved by mb_reserve() is byte aligned and need to be used in conjunction with le16enc() and le32enc(). Tested on: ia64
This commit is contained in:
parent
c68ea28fe1
commit
a6a4232f96
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=161523
|
@ -241,8 +241,8 @@ smb_rq_sign(struct smb_rq *rqp)
|
|||
}
|
||||
|
||||
/* Initialize sec. signature field to sequence number + zeros. */
|
||||
*(u_int32_t *)rqp->sr_rqsig = htole32(rqp->sr_seqno);
|
||||
*(u_int32_t *)(rqp->sr_rqsig + 4) = 0;
|
||||
le32enc(rqp->sr_rqsig, rqp->sr_seqno);
|
||||
le32enc(rqp->sr_rqsig + 4, 0);
|
||||
|
||||
/*
|
||||
* Compute HMAC-MD5 of packet data, keyed by MAC key.
|
||||
|
|
|
@ -244,8 +244,8 @@ smb_iod_sendrq(struct smbiod *iod, struct smb_rq *rqp)
|
|||
if (vcp->vc_maxmux != 0 && iod->iod_muxcnt >= vcp->vc_maxmux)
|
||||
return 0;
|
||||
#endif
|
||||
*rqp->sr_rqtid = htole16(ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
|
||||
*rqp->sr_rquid = htole16(vcp ? vcp->vc_smbuid : 0);
|
||||
le16enc(rqp->sr_rqtid, ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
|
||||
le16enc(rqp->sr_rquid, vcp ? vcp->vc_smbuid : 0);
|
||||
mb_fixhdr(&rqp->sr_rq);
|
||||
if (vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE)
|
||||
smb_rq_sign(rqp);
|
||||
|
|
|
@ -141,9 +141,9 @@ smb_rq_new(struct smb_rq *rqp, u_char cmd)
|
|||
rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8);
|
||||
mb_put_uint16le(mbp, 0);
|
||||
}
|
||||
rqp->sr_rqtid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
|
||||
rqp->sr_rqtid = mb_reserve(mbp, sizeof(u_int16_t));
|
||||
mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/);
|
||||
rqp->sr_rquid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
|
||||
rqp->sr_rquid = mb_reserve(mbp, sizeof(u_int16_t));
|
||||
mb_put_uint16le(mbp, rqp->sr_mid);
|
||||
return 0;
|
||||
}
|
||||
|
@ -239,7 +239,7 @@ smb_rq_wend(struct smb_rq *rqp)
|
|||
void
|
||||
smb_rq_bstart(struct smb_rq *rqp)
|
||||
{
|
||||
rqp->sr_bcount = (u_short*)mb_reserve(&rqp->sr_rq, sizeof(u_short));
|
||||
rqp->sr_bcount = mb_reserve(&rqp->sr_rq, sizeof(u_short));
|
||||
rqp->sr_rq.mb_count = 0;
|
||||
}
|
||||
|
||||
|
@ -255,7 +255,7 @@ smb_rq_bend(struct smb_rq *rqp)
|
|||
bcnt = rqp->sr_rq.mb_count;
|
||||
if (bcnt > 0xffff)
|
||||
SMBERROR("byte count too large (%d)\n", bcnt);
|
||||
*rqp->sr_bcount = htole16(bcnt);
|
||||
le16enc(rqp->sr_bcount, bcnt);
|
||||
}
|
||||
|
||||
int
|
||||
|
|
|
@ -82,7 +82,7 @@ struct smb_rq {
|
|||
u_int8_t sr_rqflags;
|
||||
u_int16_t sr_rqflags2;
|
||||
u_char * sr_wcount;
|
||||
u_short * sr_bcount;
|
||||
void * sr_bcount; /* Points to 2-byte buffer. */
|
||||
struct mdchain sr_rp;
|
||||
int sr_rpgen;
|
||||
int sr_rplast;
|
||||
|
@ -95,8 +95,8 @@ struct smb_rq {
|
|||
struct timespec sr_timesent;
|
||||
int sr_lerror;
|
||||
u_int8_t * sr_rqsig;
|
||||
u_int16_t * sr_rqtid;
|
||||
u_int16_t * sr_rquid;
|
||||
void * sr_rqtid; /* Points to 2-byte buffer. */
|
||||
void * sr_rquid; /* Points to 2-byte buffer. */
|
||||
u_int8_t sr_errclass;
|
||||
u_int16_t sr_serror;
|
||||
u_int32_t sr_error;
|
||||
|
|
Loading…
Reference in a new issue