summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-08-07 13:12:46 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:23 -0500
commitbb9664302b354c46041f58549d5adf0a241eb6c1 (patch)
tree3d9471f72feb25b6573662475be8b9a64faf9831 /source3
parent456305325ce0d5d7562e0596ead983009de76143 (diff)
downloadsamba-bb9664302b354c46041f58549d5adf0a241eb6c1.tar.gz
samba-bb9664302b354c46041f58549d5adf0a241eb6c1.tar.bz2
samba-bb9664302b354c46041f58549d5adf0a241eb6c1.zip
r24269: Check wct in reply_write_and_X
(This used to be commit 1297fac11778cb910d1bcd12b6d9d3a6269972db)
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/reply.c29
1 files changed, 21 insertions, 8 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 2b54c636a5..8007a769ec 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3273,18 +3273,31 @@ int reply_write(connection_struct *conn, char *inbuf,char *outbuf,int size,int d
int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
{
- files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2));
- SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
- size_t numtowrite = SVAL(inbuf,smb_vwv10);
- BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
- ssize_t nwritten = -1;
- unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
- unsigned int smblen = smb_len(inbuf);
+ files_struct *fsp;
+ SMB_OFF_T startpos;
+ size_t numtowrite;
+ BOOL write_through;
+ ssize_t nwritten;
+ unsigned int smb_doff;
+ unsigned int smblen;
char *data;
- BOOL large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF));
+ BOOL large_writeX;
NTSTATUS status;
+
START_PROFILE(SMBwriteX);
+ if ((CVAL(inbuf, smb_wct) != 12) && (CVAL(inbuf, smb_wct) != 14)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ fsp = file_fsp(SVAL(inbuf,smb_vwv2));
+ startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+ numtowrite = SVAL(inbuf,smb_vwv10);
+ write_through = BITSETW(inbuf+smb_vwv7,0);
+ smb_doff = SVAL(inbuf,smb_vwv11);
+ smblen = smb_len(inbuf);
+ large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF));
+
/* If it's an IPC, pass off the pipe handler. */
if (IS_IPC(conn)) {
END_PROFILE(SMBwriteX);