diff options
| author | Luke Leighton <lkcl@samba.org> | 1997-10-12 14:17:55 +0000 |
|---|---|---|
| committer | Luke Leighton <lkcl@samba.org> | 1997-10-12 14:17:55 +0000 |
| commit | 60575a888aebec898fdaf0f6c0c8269607b2571f (patch) | |
| tree | b496d7a8986f5c1eb31395025d10ea4a91099219 /source3/smbd/ipc.c | |
| parent | a26037ac7c1ac218863f9d674dcf85293eb2f085 (diff) | |
| download | samba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.gz samba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.bz2 samba-60575a888aebec898fdaf0f6c0c8269607b2571f.zip | |
ipc.c:
debugging info. found that data = NULL because of short packet length
indicated from the ntlsaRPC pipe _royally_ stuffs NT's packet handling.
maybe this should go down as a service denial bug to the ntbugtraq list.
pipes.c lsaparse.c smbparse.c :
added more debug stuff. added length of header to data_len in MSRPC
fragment_length field (0x18 bytes short) which caused the above bug
from NT 4.0. oops.
(This used to be commit a6f8de6815e0b85bb23b302980730501ac0b87e5)
Diffstat (limited to 'source3/smbd/ipc.c')
| -rw-r--r-- | source3/smbd/ipc.c | 33 |
1 files changed, 19 insertions, 14 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 6b255dd405..b314d41679 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -2801,30 +2801,35 @@ static int api_fd_reply(int cnum,uint16 vuid,char *outbuf, subcommand = setup[0]; DEBUG(3,("Got API command %d on pipe %s ",subcommand,Files[fd].name)); - DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n", - tdscnt,tpscnt,mdrcnt,mprcnt)); + DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d,cnum=%d,vuid=%d)\n", + tdscnt,tpscnt,mdrcnt,mprcnt,cnum,vuid)); for (i=0;api_fd_commands[i].name;i++) + { if (strequal(api_fd_commands[i].pipename, Files[fd].name) && - api_fd_commands[i].subcommand == subcommand && - api_fd_commands[i].fn) - { - DEBUG(3,("Doing %s\n",api_fd_commands[i].name)); - break; - } + api_fd_commands[i].subcommand == subcommand && + api_fd_commands[i].fn) + { + DEBUG(3,("Doing %s\n",api_fd_commands[i].name)); + break; + } + } - rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024); + rdata = (char *)malloc(1024); if (rdata ) bzero(rdata ,1024); rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024); + DEBUG(10,("calling api_fd_command\n")); + reply = api_fd_commands[i].fn(cnum,vuid,params,data,mdrcnt,mprcnt, &rdata,&rparam,&rdata_len,&rparam_len); - if (rdata_len > mdrcnt || - rparam_len > mprcnt) - { - reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt, + DEBUG(10,("called api_fd_command\n")); + + if (rdata_len > mdrcnt || rparam_len > mprcnt) + { + reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt, &rdata,&rparam,&rdata_len,&rparam_len); - } + } /* if we get False back then it's actually unsupported */ |