Fix misalignment bugs caused by invalid type casts of pointers

returned by md_reserve(). Space reserved by mb_reserve() is
byte aligned and need to be used in conjunction with le16enc()
and le32enc().

Tested on: ia64

4 files changed, 11 insertions, 11 deletions

diff --git a/sys/netsmb/smb_crypt.c b/sys/netsmb/smb_crypt.c
index 928ba8ce4b86..b647afd09ae8 100644
--- a/sys/netsmb/smb_crypt.c
+++ b/sys/netsmb/smb_crypt.c
@@ -241,8 +241,8 @@ smb_rq_sign(struct smb_rq *rqp)
 	}
 
 	/* Initialize sec. signature field to sequence number + zeros. */
-	*(u_int32_t *)rqp->sr_rqsig = htole32(rqp->sr_seqno);
-	*(u_int32_t *)(rqp->sr_rqsig + 4) = 0;
+	le32enc(rqp->sr_rqsig, rqp->sr_seqno);
+	le32enc(rqp->sr_rqsig + 4, 0);
 
 	/*
 	 * Compute HMAC-MD5 of packet data, keyed by MAC key.
diff --git a/sys/netsmb/smb_iod.c b/sys/netsmb/smb_iod.c
index 26bbe75879a4..8a687c260e79 100644
--- a/sys/netsmb/smb_iod.c
+++ b/sys/netsmb/smb_iod.c
@@ -244,8 +244,8 @@ smb_iod_sendrq(struct smbiod *iod, struct smb_rq *rqp)
 		if (vcp->vc_maxmux != 0 && iod->iod_muxcnt >= vcp->vc_maxmux)
 			return 0;
 #endif
-		*rqp->sr_rqtid = htole16(ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
-		*rqp->sr_rquid = htole16(vcp ? vcp->vc_smbuid : 0);
+		le16enc(rqp->sr_rqtid, ssp ? ssp->ss_tid : SMB_TID_UNKNOWN);
+		le16enc(rqp->sr_rquid, vcp ? vcp->vc_smbuid : 0);
 		mb_fixhdr(&rqp->sr_rq);
 		if (vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE)
 			smb_rq_sign(rqp);
diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c
index 7099645be59b..fb7e5d55d8fd 100644
--- a/sys/netsmb/smb_rq.c
+++ b/sys/netsmb/smb_rq.c
@@ -141,9 +141,9 @@ smb_rq_new(struct smb_rq *rqp, u_char cmd)
 		rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8);
 		mb_put_uint16le(mbp, 0);
 	}
-	rqp->sr_rqtid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
+	rqp->sr_rqtid = mb_reserve(mbp, sizeof(u_int16_t));
 	mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/);
-	rqp->sr_rquid = (u_int16_t*)mb_reserve(mbp, sizeof(u_int16_t));
+	rqp->sr_rquid = mb_reserve(mbp, sizeof(u_int16_t));
 	mb_put_uint16le(mbp, rqp->sr_mid);
 	return 0;
 }
@@ -239,7 +239,7 @@ smb_rq_wend(struct smb_rq *rqp)
 void
 smb_rq_bstart(struct smb_rq *rqp)
 {
-	rqp->sr_bcount = (u_short*)mb_reserve(&rqp->sr_rq, sizeof(u_short));
+	rqp->sr_bcount = mb_reserve(&rqp->sr_rq, sizeof(u_short));
 	rqp->sr_rq.mb_count = 0;
 }
 
@@ -255,7 +255,7 @@ smb_rq_bend(struct smb_rq *rqp)
 	bcnt = rqp->sr_rq.mb_count;
 	if (bcnt > 0xffff)
 		SMBERROR("byte count too large (%d)\n", bcnt);
-	*rqp->sr_bcount = htole16(bcnt);
+	le16enc(rqp->sr_bcount, bcnt);
 }
 
 int
diff --git a/sys/netsmb/smb_rq.h b/sys/netsmb/smb_rq.h
index c016d9d28831..d989e4fc0703 100644
--- a/sys/netsmb/smb_rq.h
+++ b/sys/netsmb/smb_rq.h
@@ -82,7 +82,7 @@ struct smb_rq {
 	u_int8_t		sr_rqflags;
 	u_int16_t		sr_rqflags2;
 	u_char *		sr_wcount;
-	u_short *		sr_bcount;
+	void *			sr_bcount;	/* Points to 2-byte buffer. */
 	struct mdchain		sr_rp;
 	int			sr_rpgen;
 	int			sr_rplast;
@@ -95,8 +95,8 @@ struct smb_rq {
 	struct timespec 	sr_timesent;
 	int			sr_lerror;
 	u_int8_t *		sr_rqsig;
-	u_int16_t *		sr_rqtid;
-	u_int16_t *		sr_rquid;
+	void *			sr_rqtid;	/* Points to 2-byte buffer. */
+	void *			sr_rquid;	/* Points to 2-byte buffer. */
 	u_int8_t		sr_errclass;
 	u_int16_t		sr_serror;
 	u_int32_t		sr_error;