diff options
| author | Volker Lendecke <vl@samba.org> | 2009-01-25 12:22:20 +0100 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2009-01-25 12:18:34 +0100 |
| commit | c0fea1f0f791f0b2a161f5c89fd532ce2270c240 (patch) | |
| tree | 56e3d1fc817854a88b077edefc1290a5319b314f /source3/smbd | |
| parent | 5baac15781779a3ebfa3807299e5329809835370 (diff) | |
| download | samba-c0fea1f0f791f0b2a161f5c89fd532ce2270c240.tar.gz samba-c0fea1f0f791f0b2a161f5c89fd532ce2270c240.tar.bz2 samba-c0fea1f0f791f0b2a161f5c89fd532ce2270c240.zip | |
Fix chain_reply for pipe reads
The caller might have over-allocated reply->outbuf. Deal with that.
Sorry, Günther, for giving you so much pain ...
Volker
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/process.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index dc038b6b95..a025bb4197 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1640,8 +1640,18 @@ void chain_reply(struct smb_request *req) /* * In req->chain_outbuf we collect all the replies. Start the * chain by copying in the first reply. + * + * We do the realloc because later on we depend on + * talloc_get_size to determine the length of + * chain_outbuf. The reply_xxx routines might have + * over-allocated (reply_pipe_read_and_X used to be such an + * example). */ - req->chain_outbuf = req->outbuf; + req->chain_outbuf = TALLOC_REALLOC_ARRAY( + req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4); + if (req->chain_outbuf == NULL) { + goto error; + } req->outbuf = NULL; } else { if (!smb_splice_chain(&req->chain_outbuf, |