diff options
| -rw-r--r-- | source3/smbd/process.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index a1d2d88b3d..332a2e4da3 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1653,6 +1653,7 @@ void chain_reply(struct smb_request *req) char *outbuf = (char *)req->outbuf; size_t outsize = smb_len(outbuf) + 4; size_t outsize_padded; + size_t padding; size_t ofs, to_move; struct smb_request *req2; @@ -1691,6 +1692,7 @@ void chain_reply(struct smb_request *req) */ outsize_padded = (outsize + 3) & ~3; + padding = outsize_padded - outsize; /* * remember how much the caller added to the chain, only counting @@ -1804,17 +1806,17 @@ void chain_reply(struct smb_request *req) SCVAL(outbuf, smb_vwv0, smb_com2); SSVAL(outbuf, smb_vwv1, chain_size + smb_wct - 4); - if (outsize_padded > outsize) { + if (padding != 0) { /* * Due to padding we have some uninitialized bytes after the * caller's output */ - memset(outbuf + outsize, 0, outsize_padded - outsize); + memset(outbuf + outsize, 0, padding); } - smb_setlen(outbuf, outsize2 + chain_size - 4); + smb_setlen(outbuf, outsize2 + caller_outputlen + padding - 4); /* * restore the saved data, being careful not to overwrite any data |