summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/smb2_find.c6
-rw-r--r--source3/smbd/trans2.c10
2 files changed, 15 insertions, 1 deletions
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 66be7562e8..6690adcb93 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
state->out_output_buffer.length = 0;
pdata = (char *)state->out_output_buffer.data;
base_data = pdata;
- end_data = pdata + in_output_buffer_length;
+ /*
+ * end_data must include the safety margin as it's what is
+ * used to determine if pushed strings have been truncated.
+ */
+ end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1;
last_entry_off = 0;
off = 0;
num = 0;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7fb90..3fa737f4b7 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
off = (int)PTR_DIFF(pdata, base_data);
pad = (off + (align-1)) & ~(align-1);
pad -= off;
+
+ if (pad && pad > space_remaining) {
+ *out_of_space = true;
+ DEBUG(9,("smbd_marshall_dir_entry: out of space "
+ "for padding (wanted %u, had %d)\n",
+ (unsigned int)pad,
+ space_remaining ));
+ return false; /* Not finished - just out of space */
+ }
+
off += pad;
/* initialize padding to 0 */
if (pad) {