From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 May 2018 15:05:38 +0000 (+0200)
Subject: s3:smbd: Fix converity warning with _smb_setlen_large()
X-Git-Tag: ldb-1.4.0~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76d5f78bb8de7ed8dfbc0d6b237c6d63ea15678f;p=thirdparty%2Fsamba.git

s3:smbd: Fix converity warning with _smb_setlen_large()

result_independent_of_operands: "(outsize - 4 & 0xffffff) >> 16 >> 8" is
0 regardless of the values of its operands. This occurs as the bitwise
first operand of "&".

So we should just pass a variable to silence the warning. However for
this, we should calculate it correctly and use size_t for it.

Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index abf8858099b..b984036e9f8 100644
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -239,7 +239,7 @@ static void aio_pread_smb1_done(struct tevent_req *req)
 	struct aio_extra *aio_ex = tevent_req_callback_data(
 		req, struct aio_extra);
 	files_struct *fsp = aio_ex->fsp;
-	int outsize;
+	size_t outsize;
 	char *outbuf = (char *)aio_ex->outbuf.data;
 	ssize_t nread;
 	struct vfs_aio_state vfs_aio_state;
@@ -276,7 +276,15 @@ static void aio_pread_smb1_done(struct tevent_req *req)
 			   (int)aio_ex->nbyte, (int)nread ) );
 
 	}
-	_smb_setlen_large(outbuf, outsize - 4);
+
+	if (outsize <= 4) {
+		DBG_INFO("Invalid outsize (%zu)\n", outsize);
+		TALLOC_FREE(aio_ex);
+		return;
+	}
+	outsize -= 4;
+	_smb_setlen_large(outbuf, outsize);
+
 	show_msg(outbuf);
 	if (!srv_send_smb(aio_ex->smbreq->xconn, outbuf,
 			  true, aio_ex->smbreq->seqnum+1,
diff --git a/source3/smbd/error.c b/source3/smbd/error.c
index c91f5b0daf4..3f9ecaa2c5c 100644
--- a/source3/smbd/error.c
+++ b/source3/smbd/error.c
@@ -105,9 +105,9 @@ void error_packet_set(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS nts
 	}
 }
 
-int error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file)
+size_t error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file)
 {
-	int outsize = srv_set_message(outbuf,0,0,True);
+	size_t outsize = srv_set_message(outbuf,0,0,True);
 	error_packet_set(outbuf, eclass, ecode, ntstatus, line, file);
 	return outsize;
 }
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 6a3395ceabf..936b5351de7 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -274,10 +274,10 @@ out:
  Setup the word count and byte count for a smb message.
 ********************************************************************/
 
-int srv_set_message(char *buf,
-                        int num_words,
-                        int num_bytes,
-                        bool zero)
+size_t srv_set_message(char *buf,
+		       size_t num_words,
+		       size_t num_bytes,
+		       bool zero)
 {
 	if (zero && (num_words || num_bytes)) {
 		memset(buf + smb_size,'\0',num_words*2 + num_bytes);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 778561c241c..bee7acadeea 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -293,7 +293,12 @@ struct timespec get_change_timespec(connection_struct *conn,
 
 bool use_nt_status(void);
 void error_packet_set(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file);
-int error_packet(char *outbuf, uint8_t eclass, uint32_t ecode, NTSTATUS ntstatus, int line, const char *file);
+size_t error_packet(char *outbuf,
+		    uint8_t eclass,
+		    uint32_t ecode,
+		    NTSTATUS ntstatus,
+		    int line,
+		    const char *file);
 void reply_nt_error(struct smb_request *req, NTSTATUS ntstatus,
 		    int line, const char *file);
 void reply_force_dos_error(struct smb_request *req, uint8_t eclass, uint32_t ecode,
@@ -825,10 +830,10 @@ bool srv_send_smb(struct smbXsrv_connection *xconn, char *buffer,
 		  bool no_signing, uint32_t seqnum,
 		  bool do_encrypt,
 		  struct smb_perfcount_data *pcd);
-int srv_set_message(char *buf,
-                        int num_words,
-                        int num_bytes,
-                        bool zero);
+size_t srv_set_message(char *buf,
+		       size_t num_words,
+		       size_t num_bytes,
+		       bool zero);
 void remove_deferred_open_message_smb(struct smbXsrv_connection *xconn,
 				      uint64_t mid);
 bool schedule_deferred_open_message_smb(struct smbXsrv_connection *xconn,
@@ -955,7 +960,7 @@ ssize_t sendfile_short_send(struct smbXsrv_connection *xconn,
 			    size_t smb_maxcnt);
 void reply_readbraw(struct smb_request *req);
 void reply_lockread(struct smb_request *req);
-int setup_readX_header(char *outbuf, size_t smb_maxcnt);
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt);
 void reply_read(struct smb_request *req);
 void reply_read_and_X(struct smb_request *req);
 void error_to_writebrawerr(struct smb_request *req);
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 92a65f5b90b..fc56e3234be 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3926,9 +3926,9 @@ out:
  Setup readX header.
 ****************************************************************************/
 
-int setup_readX_header(char *outbuf, size_t smb_maxcnt)
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt)
 {
-	int outsize;
+	size_t outsize;
 
 	outsize = srv_set_message(outbuf,12,smb_maxcnt + 1 /* padding byte */,
 				  False);