diff options
author | marcel <marcel@FreeBSD.org> | 2006-08-22 03:05:51 +0000 |
---|---|---|
committer | marcel <marcel@FreeBSD.org> | 2006-08-22 03:05:51 +0000 |
commit | 6723c51456f91f4ff5b61a01bcdf421bfa465a61 (patch) | |
tree | f59a8d47cd3eea7ae8f95993d421a9c9abb63d64 | |
parent | f39fbdd70545e5a375029d7c59616b06ef675023 (diff) | |
download | FreeBSD-src-6723c51456f91f4ff5b61a01bcdf421bfa465a61.zip FreeBSD-src-6723c51456f91f4ff5b61a01bcdf421bfa465a61.tar.gz |
Fix misalignment bugs caused by invalid type casts of pointers
returned by md_reserve(). Space reserved by mb_reserve() is
byte aligned and need to be used in conjunction with le16enc()
and le32enc().
Tested on: ia64
-rw-r--r-- | sys/netsmb/smb_crypt.c | 4 | ||||
-rw-r--r-- | sys/netsmb/smb_iod.c | 4 | ||||
-rw-r--r-- | sys/netsmb/smb_rq.c | 8 | ||||
-rw-r--r-- | sys/netsmb/smb_rq.h | 6 |
4 files changed, 11 insertions, 11 deletions
diff --git a/sys/netsmb/smb_crypt.c b/sys/netsmb/smb_crypt.c index 928ba8c..b647afd 100644 --- a/sys/netsmb/smb_crypt.c +++ b/sys/netsmb/smb_crypt.c @@ -241,8 +241,8 @@ smb_rq_sign(struct smb_rq *rqp) } /* Initialize sec. signature field to sequence number + zeros. */ - *(u_int32_t *)rqp->sr_rqsig = htole32(rqp->sr_seqno); - *(u_int32_t *)(rqp->sr_rqsig + 4) = 0; + le32enc(rqp->sr_rqsig, rqp->sr_seqno); + le32enc(rqp->sr_rqsig + 4, 0); /* * Compute HMAC-MD5 of packet data, keyed by MAC key. diff --git a/sys/netsmb/smb_iod.c b/sys/netsmb/smb_iod.c index 26bbe75..8a687c2 100644 --- a/sys/netsmb/smb_iod.c +++ b/sys/netsmb/smb_iod.c @@ -244,8 +244,8 @@ smb_iod_sendrq(struct smbiod *iod, struct smb_rq *rqp) if (vcp->vc_maxmux != 0 && iod->iod_muxcnt >= vcp->vc_maxmux) return 0; #endif - *rqp->sr_rqtid = htole16(ssp ? ssp->ss_tid : SMB_TID_UNKNOWN); - *rqp->sr_rquid = htole16(vcp ? vcp->vc_smbuid : 0); + le16enc(rqp->sr_rqtid, ssp ? ssp->ss_tid : SMB_TID_UNKNOWN); + le16enc(rqp->sr_rquid, vcp ? vcp->vc_smbuid : 0); mb_fixhdr(&rqp->sr_rq); if (vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) smb_rq_sign(rqp); diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 7099645..fb7e5d5 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -141,9 +141,9 @@ smb_rq_new(struct smb_rq *rqp, u_char cmd) rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8); mb_put_uint16le(mbp, 0); } - rqp->sr_rqtid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t)); + rqp->sr_rqtid = mb_reserve(mbp, sizeof(u_int16_t)); mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/); - rqp->sr_rquid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t)); + rqp->sr_rquid = mb_reserve(mbp, sizeof(u_int16_t)); mb_put_uint16le(mbp, rqp->sr_mid); return 0; } @@ -239,7 +239,7 @@ smb_rq_wend(struct smb_rq *rqp) void smb_rq_bstart(struct smb_rq *rqp) { - rqp->sr_bcount = (u_short*)mb_reserve(&rqp->sr_rq, sizeof(u_short)); + rqp->sr_bcount = mb_reserve(&rqp->sr_rq, sizeof(u_short)); rqp->sr_rq.mb_count = 0; } @@ -255,7 +255,7 @@ smb_rq_bend(struct smb_rq *rqp) bcnt = rqp->sr_rq.mb_count; if (bcnt > 0xffff) SMBERROR("byte count too large (%d)\n", bcnt); - *rqp->sr_bcount = htole16(bcnt); + le16enc(rqp->sr_bcount, bcnt); } int diff --git a/sys/netsmb/smb_rq.h b/sys/netsmb/smb_rq.h index c016d9d..d989e4f 100644 --- a/sys/netsmb/smb_rq.h +++ b/sys/netsmb/smb_rq.h @@ -82,7 +82,7 @@ struct smb_rq { u_int8_t sr_rqflags; u_int16_t sr_rqflags2; u_char * sr_wcount; - u_short * sr_bcount; + void * sr_bcount; /* Points to 2-byte buffer. */ struct mdchain sr_rp; int sr_rpgen; int sr_rplast; @@ -95,8 +95,8 @@ struct smb_rq { struct timespec sr_timesent; int sr_lerror; u_int8_t * sr_rqsig; - u_int16_t * sr_rqtid; - u_int16_t * sr_rquid; + void * sr_rqtid; /* Points to 2-byte buffer. */ + void * sr_rquid; /* Points to 2-byte buffer. */ u_int8_t sr_errclass; u_int16_t sr_serror; u_int32_t sr_error; |