diff options
author | Jeremy Allison <jra@samba.org> | 2010-02-09 15:14:38 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-02-09 15:14:38 -0800 |
commit | 8ddc977c1421a47bedba8d5494f7ae67692b772a (patch) | |
tree | daa47c43fbbbe65cb8d2d3a77b61e4652ca498d3 /source3/smbd | |
parent | a056eb85ff8cabc05970c789abba890d914e7ecb (diff) | |
download | samba-8ddc977c1421a47bedba8d5494f7ae67692b772a.tar.gz samba-8ddc977c1421a47bedba8d5494f7ae67692b772a.tar.bz2 samba-8ddc977c1421a47bedba8d5494f7ae67692b772a.zip |
Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
This patch fixes both.
Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/ipc.c | 3 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 6 |
2 files changed, 6 insertions, 3 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 12d4922844..97b338a536 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -173,6 +173,9 @@ void send_trans_reply(connection_struct *conn, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); + SSVAL(req->outbuf,smb_vwv0,lparam); + SSVAL(req->outbuf,smb_vwv1,ldata); + SSVAL(req->outbuf,smb_vwv3,this_lparam); SSVAL(req->outbuf,smb_vwv4, smb_offset(smb_buf(req->outbuf)+1,req->outbuf)); diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index eed0cd2fe6..4df1cea8d1 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1457,7 +1457,7 @@ static bool api_RNetServerEnum2(connection_struct *conn, uint16 vuid, DEBUG(4,("fill_srv_info[%d] %20s %8x %25s %15s\n", i, s->name, s->type, s->comment, s->domain)); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; @@ -1663,7 +1663,7 @@ static bool api_RNetServerEnum3(connection_struct *conn, uint16 vuid, DEBUG(4,("fill_srv_info[%d] %20s %8x %25s %15s\n", i, s->name, s->type, s->comment, s->domain)); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; @@ -2030,7 +2030,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid, if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) { total++; data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; |