diff options
| author | Gerald (Jerry) Carter <jerry@samba.org> | 2007-11-02 14:16:40 -0400 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-11-02 14:16:40 -0400 |
| commit | 8a33035038d176ca3065daf2ff4f1c93464d5e9c (patch) | |
| tree | dbc3d000567ecded7aeb80fa6eba2d5ea0ffd1fd /source3/smbd | |
| parent | 7bbdc00545ded27f10e87c5b90345bd96d09dfd2 (diff) | |
| parent | 414ab2ce46dd62d0119f03eca93783bc489af896 (diff) | |
| download | samba-8a33035038d176ca3065daf2ff4f1c93464d5e9c.tar.gz samba-8a33035038d176ca3065daf2ff4f1c93464d5e9c.tar.bz2 samba-8a33035038d176ca3065daf2ff4f1c93464d5e9c.zip | |
Merge branch 'v3-2-test' of git://git.samba.org/samba into v3-2-test
(This used to be commit 95de80218c10a72c7b28541c3c2e475e083b68f1)
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/reply.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index d2aa6c6929..84c1892560 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3912,7 +3912,6 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) unsigned int smb_doff; unsigned int smblen; char *data; - bool large_writeX; NTSTATUS status; START_PROFILE(SMBwriteX); @@ -3926,11 +3925,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) numtowrite = SVAL(req->inbuf,smb_vwv10); smb_doff = SVAL(req->inbuf,smb_vwv11); smblen = smb_len(req->inbuf); - large_writeX = ((req->wct == 14) && (smblen > 0xFFFF)); - /* Deal with possible LARGE_WRITEX */ - if (large_writeX) { - numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16); + if (req->unread_bytes > 0xFFFF || + (smblen > smb_doff && + smblen - smb_doff > 0xFFFF)) { + numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16); } if (req->unread_bytes) { @@ -3940,7 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } } else { - if (smb_doff > smblen || smb_doff + numtowrite > smblen) { + if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || + smb_doff + numtowrite > smblen) { reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; @@ -3949,6 +3949,11 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { + if (req->unread_bytes) { + reply_doserror(req, ERRDOS, ERRbadmem); + END_PROFILE(SMBwriteX); + return; + } reply_pipe_write_and_X(req); END_PROFILE(SMBwriteX); return; @@ -4031,8 +4036,7 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) reply_outbuf(req, 6, 0); SSVAL(req->outbuf,smb_vwv2,nwritten); - if (large_writeX) - SSVAL(req->outbuf,smb_vwv4,(nwritten>>16)&1); + SSVAL(req->outbuf,smb_vwv4,nwritten>>16); if (nwritten < (ssize_t)numtowrite) { SCVAL(req->outbuf,smb_rcls,ERRHRD); |