summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1998-10-20 18:27:49 +0000
committerLuke Leighton <lkcl@samba.org>1998-10-20 18:27:49 +0000
commit1ebeb54932de01323356e8201d465656b8723d46 (patch)
treeda41300fe2d31576f3efc0041739626b618fbb66 /source3/smbd
parent476d0fd23682452d0d9f56ff2e166243d74cfdbc (diff)
downloadsamba-1ebeb54932de01323356e8201d465656b8723d46.tar.gz
samba-1ebeb54932de01323356e8201d465656b8723d46.tar.bz2
samba-1ebeb54932de01323356e8201d465656b8723d46.zip
some quite important bug-fixes i missed because i transferred the wrong
smb.tgz file from my portable. particularly the call to mem_data followed by a realloc of that data in cli_pipe.c's rpc_read() function. smbd responses now use p->rdata_i which is a faked-up pointer into p->rdata's response data. rdata can be very long; rdata_i is limited to point to no more than max_tsize - 0x18 in length. this will make it an almost trivial task to add the encrypted rpc headers after rdata_i, and mem_buf_copy will cope admirably with rhdr chained to rdata_i chained to auth_verifier etc etc... (This used to be commit 05a297e3a98c14360782af4ad0d851638fb5da9a)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/ipc.c27
1 files changed, 8 insertions, 19 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 2b8b8698db..3e697a59ce 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -3101,6 +3101,7 @@ static void api_rpc_trans_reply(char *outbuf,
/* all of data was sent: no need to wait for SMBreadX calls */
mem_free_data(p->rhdr .data);
mem_free_data(p->rdata.data);
+ mem_free_data(p->rdata_i.data);
}
}
@@ -3190,20 +3191,12 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
int subcommand;
pipes_struct *p = NULL;
prs_struct pd;
- struct mem_buf data_buf;
DEBUG(5,("api_fd_reply\n"));
- /* fake up a data buffer from the api_fd_reply data parameters */
- mem_create(&data_buf, data, tdscnt, 0, False);
- data_buf.offset.start = 0;
- data_buf.offset.end = tdscnt;
-
- /* fake up a parsing structure */
- pd.data = &data_buf;
- pd.align = 4;
- pd.io = True;
- pd.offset = 0;
+ /* make a static data parsing structure from the api_fd_reply data */
+ prs_init(&pd, 0, 4, True, 0);
+ mem_create(pd.data, data, 0, tdscnt, 0, False);
/* First find out the name of this file. */
if (suwcnt != 2)
@@ -3259,6 +3252,8 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum));
}
+ mem_free_data(pd.data);
+
if (!reply)
{
return api_no_reply(outbuf, mdrcnt);
@@ -3410,14 +3405,8 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data
&rdata,&rparam,&rdata_len,&rparam_len);
- mem_create(&rdata_buf , rdata , rdata_len , 0, False);
- mem_create(&rparam_buf, rparam, rparam_len, 0, False);
-
- rdata_buf.offset.start = 0;
- rdata_buf.offset.end = rdata_len;
-
- rparam_buf.offset.start = 0;
- rparam_buf.offset.end = rparam_len;
+ mem_create(&rdata_buf , rdata , 0, rdata_len , 0, False);
+ mem_create(&rparam_buf, rparam, 0, rparam_len, 0, False);
/* now send the reply */
send_trans_reply(outbuf, &rdata_buf, &rparam_buf, NULL, 0, 0);