summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2008-05-28 16:58:34 +1000
committerAndrew Tridgell <tridge@samba.org>2008-05-28 16:58:34 +1000
commit0be9746e1fc47aff93c1d77d256f4fb7942529d6 (patch)
tree1945ef3e4fafd3d07afc1aa617ec8d3ed5488e0e /source4
parent082272e49d3cb8022a43fff5bfbcdf79adb5a44f (diff)
downloadsamba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.tar.gz
samba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.tar.bz2
samba-0be9746e1fc47aff93c1d77d256f4fb7942529d6.zip
ensure we don't change the incoming blobs in a SMB2 create
(This used to be commit a6cc89fffe8c149b540f2125cea57f31331d5460)
Diffstat (limited to 'source4')
-rw-r--r--source4/libcli/smb2/create.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/libcli/smb2/create.c b/source4/libcli/smb2/create.c
index b976b528f1..bff0a1587d 100644
--- a/source4/libcli/smb2/create.c
+++ b/source4/libcli/smb2/create.c
@@ -59,6 +59,7 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
next > remaining ||
name_offset < 16 ||
name_offset > remaining ||
+ name_length != 4 || /* windows enforces this */
name_offset + name_length > remaining ||
data_offset < name_offset + name_length ||
data_offset > remaining ||
@@ -190,7 +191,10 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create
struct smb2_request *req;
NTSTATUS status;
DATA_BLOB blob;
- struct smb2_create_blobs blobs = io->in.blobs;
+ struct smb2_create_blobs blobs;
+ int i;
+
+ ZERO_STRUCT(blobs);
req = smb2_request_init_tree(tree, SMB2_OP_CREATE, 0x38, true, 0);
if (req == NULL) return NULL;
@@ -309,6 +313,17 @@ struct smb2_request *smb2_create_send(struct smb2_tree *tree, struct smb2_create
}
/* and any custom blobs */
+ for (i=0;i<io->in.blobs.num_blobs;i++) {
+ status = smb2_create_blob_add(req, &blobs,
+ io->in.blobs.blobs[i].tag,
+ io->in.blobs.blobs[i].data);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(req);
+ return NULL;
+ }
+ }
+
+
status = smb2_create_blob_push(req, &blob, blobs);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(req);