summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-07-09 00:48:07 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:23:52 -0500
commit59590a1c4dc9bebc0e3a4ff6b0db9beb6ea81fef (patch)
treed84ccc3d49a4b82fb06d96267a4f58992c361c89 /source3
parent052ddc9cd0c1141104477ebd6c69320485b6315a (diff)
downloadsamba-59590a1c4dc9bebc0e3a4ff6b0db9beb6ea81fef.tar.gz
samba-59590a1c4dc9bebc0e3a4ff6b0db9beb6ea81fef.tar.bz2
samba-59590a1c4dc9bebc0e3a4ff6b0db9beb6ea81fef.zip
r23752: Fix bug introduced by checkin 22920, allow large
readX. Fix from Dmitry Shatrov <dhsatrov@linux.vnet.ibm.com>. "In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set to an invalid large value due to integer overflow. As for me, this resulted in MS Word hanging while trying to save a 1.5Mb document." This isn't in shipping code. Jeremy. (This used to be commit af715c602a8ef6038e6272c7cc6a08501617ae67)
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/reply.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 6e41de4ec9..b17fa1949b 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2590,9 +2590,7 @@ int send_file_readX(connection_struct *conn, char *inbuf,char *outbuf,int length
if (startpos > sbuf.st_size) {
smb_maxcnt = 0;
- }
-
- if (smb_maxcnt > (sbuf.st_size - startpos)) {
+ } else if (smb_maxcnt > (sbuf.st_size - startpos)) {
smb_maxcnt = (sbuf.st_size - startpos);
}