diff options
author | Volker Lendecke <vlendec@samba.org> | 2007-08-07 13:12:46 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:23 -0500 |
commit | bb9664302b354c46041f58549d5adf0a241eb6c1 (patch) | |
tree | 3d9471f72feb25b6573662475be8b9a64faf9831 /source3 | |
parent | 456305325ce0d5d7562e0596ead983009de76143 (diff) | |
download | samba-bb9664302b354c46041f58549d5adf0a241eb6c1.tar.gz samba-bb9664302b354c46041f58549d5adf0a241eb6c1.tar.bz2 samba-bb9664302b354c46041f58549d5adf0a241eb6c1.zip |
r24269: Check wct in reply_write_and_X
(This used to be commit 1297fac11778cb910d1bcd12b6d9d3a6269972db)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/reply.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 2b54c636a5..8007a769ec 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3273,18 +3273,31 @@ int reply_write(connection_struct *conn, char *inbuf,char *outbuf,int size,int d int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) { - files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2)); - SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); - size_t numtowrite = SVAL(inbuf,smb_vwv10); - BOOL write_through = BITSETW(inbuf+smb_vwv7,0); - ssize_t nwritten = -1; - unsigned int smb_doff = SVAL(inbuf,smb_vwv11); - unsigned int smblen = smb_len(inbuf); + files_struct *fsp; + SMB_OFF_T startpos; + size_t numtowrite; + BOOL write_through; + ssize_t nwritten; + unsigned int smb_doff; + unsigned int smblen; char *data; - BOOL large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF)); + BOOL large_writeX; NTSTATUS status; + START_PROFILE(SMBwriteX); + if ((CVAL(inbuf, smb_wct) != 12) && (CVAL(inbuf, smb_wct) != 14)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + fsp = file_fsp(SVAL(inbuf,smb_vwv2)); + startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); + numtowrite = SVAL(inbuf,smb_vwv10); + write_through = BITSETW(inbuf+smb_vwv7,0); + smb_doff = SVAL(inbuf,smb_vwv11); + smblen = smb_len(inbuf); + large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF)); + /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { END_PROFILE(SMBwriteX); |