diff options
author | Luke Leighton <lkcl@samba.org> | 1998-10-20 18:27:49 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1998-10-20 18:27:49 +0000 |
commit | 1ebeb54932de01323356e8201d465656b8723d46 (patch) | |
tree | da41300fe2d31576f3efc0041739626b618fbb66 /source3/smbd | |
parent | 476d0fd23682452d0d9f56ff2e166243d74cfdbc (diff) | |
download | samba-1ebeb54932de01323356e8201d465656b8723d46.tar.gz samba-1ebeb54932de01323356e8201d465656b8723d46.tar.bz2 samba-1ebeb54932de01323356e8201d465656b8723d46.zip |
some quite important bug-fixes i missed because i transferred the wrong
smb.tgz file from my portable.
particularly the call to mem_data followed by a realloc of that data in
cli_pipe.c's rpc_read() function.
smbd responses now use p->rdata_i which is a faked-up pointer into
p->rdata's response data. rdata can be very long; rdata_i is limited
to point to no more than max_tsize - 0x18 in length. this will make
it an almost trivial task to add the encrypted rpc headers after
rdata_i, and mem_buf_copy will cope admirably with rhdr chained to
rdata_i chained to auth_verifier etc etc...
(This used to be commit 05a297e3a98c14360782af4ad0d851638fb5da9a)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/ipc.c | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 2b8b8698db..3e697a59ce 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -3101,6 +3101,7 @@ static void api_rpc_trans_reply(char *outbuf, /* all of data was sent: no need to wait for SMBreadX calls */ mem_free_data(p->rhdr .data); mem_free_data(p->rdata.data); + mem_free_data(p->rdata_i.data); } } @@ -3190,20 +3191,12 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, int subcommand; pipes_struct *p = NULL; prs_struct pd; - struct mem_buf data_buf; DEBUG(5,("api_fd_reply\n")); - /* fake up a data buffer from the api_fd_reply data parameters */ - mem_create(&data_buf, data, tdscnt, 0, False); - data_buf.offset.start = 0; - data_buf.offset.end = tdscnt; - - /* fake up a parsing structure */ - pd.data = &data_buf; - pd.align = 4; - pd.io = True; - pd.offset = 0; + /* make a static data parsing structure from the api_fd_reply data */ + prs_init(&pd, 0, 4, True, 0); + mem_create(pd.data, data, 0, tdscnt, 0, False); /* First find out the name of this file. */ if (suwcnt != 2) @@ -3259,6 +3252,8 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum)); } + mem_free_data(pd.data); + if (!reply) { return api_no_reply(outbuf, mdrcnt); @@ -3410,14 +3405,8 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data &rdata,&rparam,&rdata_len,&rparam_len); - mem_create(&rdata_buf , rdata , rdata_len , 0, False); - mem_create(&rparam_buf, rparam, rparam_len, 0, False); - - rdata_buf.offset.start = 0; - rdata_buf.offset.end = rdata_len; - - rparam_buf.offset.start = 0; - rparam_buf.offset.end = rparam_len; + mem_create(&rdata_buf , rdata , 0, rdata_len , 0, False); + mem_create(&rparam_buf, rparam, 0, rparam_len, 0, False); /* now send the reply */ send_trans_reply(outbuf, &rdata_buf, &rparam_buf, NULL, 0, 0); |