diff options
author | Andrew Tridgell <tridge@samba.org> | 2002-04-16 06:15:28 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2002-04-16 06:15:28 +0000 |
commit | e7b729e0d9d6264e85be042b16aa6aee0648fcfd (patch) | |
tree | 8afa07d1e9341ee1fd701ec0d1bbdb7a5dab8d12 /source3/smbd/message.c | |
parent | a95d731fa496db9bf4f8173b0661fe080c1bcaed (diff) | |
download | samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.gz samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.tar.bz2 samba-e7b729e0d9d6264e85be042b16aa6aee0648fcfd.zip |
make sure we don't walk past the end of the current SMB buffer when
pulling a string
this might explain a serious filename corruption bug that Quantum QA spotted
(This used to be commit a877eae24becad9e0cd5b33ffe0916a20d5ba227)
Diffstat (limited to 'source3/smbd/message.c')
-rw-r--r-- | source3/smbd/message.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/source3/smbd/message.c b/source3/smbd/message.c index 971834c012..c2eb16c99e 100644 --- a/source3/smbd/message.c +++ b/source3/smbd/message.c @@ -118,8 +118,8 @@ int reply_sends(connection_struct *conn, outsize = set_message(outbuf,0,0,True); p = smb_buf(inbuf)+1; - p += srvstr_pull(inbuf, msgfrom, p, sizeof(msgfrom), -1, STR_TERMINATE) + 1; - p += srvstr_pull(inbuf, msgto, p, sizeof(msgto), -1, STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_TERMINATE) + 1; msg = p; @@ -160,8 +160,8 @@ int reply_sendstrt(connection_struct *conn, msgpos = 0; p = smb_buf(inbuf)+1; - p += srvstr_pull(inbuf, msgfrom, p, sizeof(msgfrom), -1, STR_TERMINATE) + 1; - p += srvstr_pull(inbuf, msgto, p, sizeof(msgto), -1, STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgfrom, p, sizeof(msgfrom), STR_TERMINATE) + 1; + p += srvstr_pull_buf(inbuf, msgto, p, sizeof(msgto), STR_TERMINATE) + 1; DEBUG( 3, ( "SMBsendstrt (from %s to %s)\n", msgfrom, msgto ) ); |