diff options
author | Jeremy Allison <jra@samba.org> | 2007-03-07 01:28:19 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:18:26 -0500 |
commit | 235b0f97f280cd0b3d7941969cf154a89fd53775 (patch) | |
tree | cc8d73805fc58818bee947abd1f68ba298f08444 | |
parent | cda247e9d44f42115929411de3f810ae859134a0 (diff) | |
download | samba-235b0f97f280cd0b3d7941969cf154a89fd53775.tar.gz samba-235b0f97f280cd0b3d7941969cf154a89fd53775.tar.bz2 samba-235b0f97f280cd0b3d7941969cf154a89fd53775.zip |
r21731: Fix long-standing bug in our chain processing code.
Should fix a bug with WinPE. Probably a candidate
for the Vista patchset.
Jeremy.
(This used to be commit ef32de6b59fef3e9f59e6f864ce5eb072390ea48)
-rw-r--r-- | source3/smbd/process.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index a0e14d8445..dbac553aea 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1148,6 +1148,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) unsigned smb_off2 = SVAL(inbuf,smb_vwv1); char *inbuf2, *outbuf2; int outsize2; + int new_size; char inbuf_saved[smb_wct]; char outbuf_saved[smb_wct]; int outsize = smb_len(outbuf) + 4; @@ -1198,6 +1199,20 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) /* create the in buffer */ SCVAL(inbuf2,smb_com,smb_com2); + /* work out the new size for the in buffer. */ + new_size = size - (inbuf2 - inbuf); + if (new_size < 0) { + DEBUG(0,("chain_reply: chain packet size incorrect (orig size = %d, " + "offset = %d)\n", + size, + (inbuf2 - inbuf) )); + exit_server_cleanly("Bad chained packet"); + return(-1); + } + + /* And set it in the header. */ + smb_setlen(inbuf2, new_size); + /* create the out buffer */ construct_reply_common(inbuf2, outbuf2); @@ -1205,7 +1220,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) show_msg(inbuf2); /* process the request */ - outsize2 = switch_message(smb_com2,inbuf2,outbuf2,size-chain_size, + outsize2 = switch_message(smb_com2,inbuf2,outbuf2,new_size, bufsize-chain_size); /* copy the new reply and request headers over the old ones, but @@ -1219,8 +1234,10 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) { int ofs = smb_wct - PTR_DIFF(outbuf2,orig_outbuf); - if (ofs < 0) ofs = 0; - memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs); + if (ofs < 0) { + ofs = 0; + } + memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs); } return outsize2; |