summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-08-11 14:37:39 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:29 -0500
commit26f6826dfc996fe4d170dc7bc5ef2a728c9ddcaf (patch)
tree4418121cc0ccf6a64d759aad0fc5a6bc8a5d09a9 /source3/smbd
parentbf47a89c98aaf05d083e67bc02dc8efd3827c9cc (diff)
downloadsamba-26f6826dfc996fe4d170dc7bc5ef2a728c9ddcaf.tar.gz
samba-26f6826dfc996fe4d170dc7bc5ef2a728c9ddcaf.tar.bz2
samba-26f6826dfc996fe4d170dc7bc5ef2a728c9ddcaf.zip
r24327: First round of fixes to chain_reply
The argument to smb_setlen does not contain the nbt header of 4 bytes The chained function might allocate outbuf itself (as now happens with reply_read_and_X). This would erroneously overwrite the caller's outbuf. Give it an outbuf pointer of it's own (This used to be commit f923bba90866af14b32c0d0ab58acc00a5939fbb)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/process.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 2946eb878f..9624ca0e49 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1355,6 +1355,7 @@ int chain_reply(char *inbuf,char **poutbuf,int size,int bufsize)
int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
char *inbuf2;
+ char *outbuf2 = NULL;
int outsize2;
int new_size;
char inbuf_saved[smb_wct];
@@ -1435,7 +1436,7 @@ int chain_reply(char *inbuf,char **poutbuf,int size,int bufsize)
}
/* And set it in the header. */
- smb_setlen(inbuf, inbuf2, new_size);
+ smb_setlen(inbuf, inbuf2, new_size - 4);
DEBUG(3,("Chained message\n"));
show_msg(inbuf2);
@@ -1446,7 +1447,7 @@ int chain_reply(char *inbuf,char **poutbuf,int size,int bufsize)
init_smb_request(req, (uint8 *)inbuf2);
/* process the request */
- outsize2 = switch_message(smb_com2, req, &outbuf, new_size,
+ outsize2 = switch_message(smb_com2, req, &outbuf2, new_size,
bufsize-chain_size);
/*
@@ -1495,7 +1496,7 @@ int chain_reply(char *inbuf,char **poutbuf,int size,int bufsize)
*poutbuf = outbuf;
- memmove(outbuf + smb_wct + ofs, outbuf + smb_wct, to_move);
+ memmove(outbuf + smb_wct + ofs, outbuf2 + smb_wct, to_move);
memcpy(outbuf + smb_wct, caller_output, caller_outputlen);
/*