summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-03-07 01:28:19 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:18:26 -0500
commit235b0f97f280cd0b3d7941969cf154a89fd53775 (patch)
treecc8d73805fc58818bee947abd1f68ba298f08444 /source3/smbd
parentcda247e9d44f42115929411de3f810ae859134a0 (diff)
downloadsamba-235b0f97f280cd0b3d7941969cf154a89fd53775.tar.gz
samba-235b0f97f280cd0b3d7941969cf154a89fd53775.tar.bz2
samba-235b0f97f280cd0b3d7941969cf154a89fd53775.zip
r21731: Fix long-standing bug in our chain processing code.
Should fix a bug with WinPE. Probably a candidate for the Vista patchset. Jeremy. (This used to be commit ef32de6b59fef3e9f59e6f864ce5eb072390ea48)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/process.c23
1 files changed, 20 insertions, 3 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index a0e14d8445..dbac553aea 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1148,6 +1148,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
char *inbuf2, *outbuf2;
int outsize2;
+ int new_size;
char inbuf_saved[smb_wct];
char outbuf_saved[smb_wct];
int outsize = smb_len(outbuf) + 4;
@@ -1198,6 +1199,20 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
/* create the in buffer */
SCVAL(inbuf2,smb_com,smb_com2);
+ /* work out the new size for the in buffer. */
+ new_size = size - (inbuf2 - inbuf);
+ if (new_size < 0) {
+ DEBUG(0,("chain_reply: chain packet size incorrect (orig size = %d, "
+ "offset = %d)\n",
+ size,
+ (inbuf2 - inbuf) ));
+ exit_server_cleanly("Bad chained packet");
+ return(-1);
+ }
+
+ /* And set it in the header. */
+ smb_setlen(inbuf2, new_size);
+
/* create the out buffer */
construct_reply_common(inbuf2, outbuf2);
@@ -1205,7 +1220,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
show_msg(inbuf2);
/* process the request */
- outsize2 = switch_message(smb_com2,inbuf2,outbuf2,size-chain_size,
+ outsize2 = switch_message(smb_com2,inbuf2,outbuf2,new_size,
bufsize-chain_size);
/* copy the new reply and request headers over the old ones, but
@@ -1219,8 +1234,10 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
{
int ofs = smb_wct - PTR_DIFF(outbuf2,orig_outbuf);
- if (ofs < 0) ofs = 0;
- memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
+ if (ofs < 0) {
+ ofs = 0;
+ }
+ memmove(outbuf2+ofs,outbuf_saved+ofs,smb_wct-ofs);
}
return outsize2;