summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-05-13 15:59:09 -0700
committerJeremy Allison <jra@samba.org>2010-05-13 15:59:09 -0700
commit056f24ce24ab395cb6fff15cb068c8d8b1affef9 (patch)
tree3020747e6654c811bf69de63f2add4d9e7caa705 /source3
parent49c8c130a0d08be7c869b9a63b5a37488003eac2 (diff)
downloadsamba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.tar.gz
samba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.tar.bz2
samba-056f24ce24ab395cb6fff15cb068c8d8b1affef9.zip
Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.
The end_data argument to smbd_dirptr_lanman2_entry() must include the safety margin, as internally it's actually used to allow detection of string name pushes that were truncated. Ensure space_remaining can never go negative due to padding. Jeremy.
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/smb2_find.c6
-rw-r--r--source3/smbd/trans2.c10
2 files changed, 15 insertions, 1 deletions
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 66be7562e8..6690adcb93 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
state->out_output_buffer.length = 0;
pdata = (char *)state->out_output_buffer.data;
base_data = pdata;
- end_data = pdata + in_output_buffer_length;
+ /*
+ * end_data must include the safety margin as it's what is
+ * used to determine if pushed strings have been truncated.
+ */
+ end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1;
last_entry_off = 0;
off = 0;
num = 0;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7fb90..3fa737f4b7 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
off = (int)PTR_DIFF(pdata, base_data);
pad = (off + (align-1)) & ~(align-1);
pad -= off;
+
+ if (pad && pad > space_remaining) {
+ *out_of_space = true;
+ DEBUG(9,("smbd_marshall_dir_entry: out of space "
+ "for padding (wanted %u, had %d)\n",
+ (unsigned int)pad,
+ space_remaining ));
+ return false; /* Not finished - just out of space */
+ }
+
off += pad;
/* initialize padding to 0 */
if (pad) {