diff options
-rw-r--r-- | source3/libsmb/clientgen.c | 6 | ||||
-rw-r--r-- | source3/smbd/ipc.c | 26 | ||||
-rw-r--r-- | source3/utils/torture.c | 2 |
3 files changed, 20 insertions, 14 deletions
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index d454cbdd3c..8aa857df8a 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -432,9 +432,9 @@ BOOL cli_NetWkstaUserLogon(struct cli_state *cli,char *user, char *workstation) pstrcpy(p,user); strupper(p); p += 21; - p++; - p += 15; - p++; + p++; + p += 15; + p++; pstrcpy(p, workstation); strupper(p); p += 16; diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index c647a5de3e..0c4d0d5bfe 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -3348,7 +3348,7 @@ struct static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data,char *params, int tdscnt,int tpscnt,int mdrcnt,int mprcnt) { - int api_command = SVAL(params,0); + int api_command; struct mem_buf rdata_buf; struct mem_buf rparam_buf; char *rdata = NULL; @@ -3358,8 +3358,14 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data BOOL reply=False; int i; + SMB_ASSERT(params != 0); + + api_command = SVAL(params,0); + DEBUG(3,("Got API command %d of form <%s> <%s> (tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n", - api_command,params+2,skip_string(params+2,1), + api_command, + params+2, + skip_string(params+2,1), tdscnt,tpscnt,mdrcnt,mprcnt)); for (i=0;api_commands[i].name;i++) @@ -3448,7 +3454,6 @@ static int named_pipe(connection_struct *conn,uint16 vuid, char *outbuf,char *na int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int bufsize) { fstring name; - char *data=NULL,*params=NULL; uint16 *setup=NULL; int outsize = 0; @@ -3475,17 +3480,17 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int if (tdscnt) { if((data = (char *)malloc(tdscnt)) == NULL) { - DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt)); - return(ERROR(ERRDOS,ERRnomem)); - } + DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt)); + return(ERROR(ERRDOS,ERRnomem)); + } memcpy(data,smb_base(inbuf)+dsoff,dscnt); } if (tpscnt) { if((params = (char *)malloc(tpscnt)) == NULL) { - DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); - return(ERROR(ERRDOS,ERRnomem)); - } + DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); + return(ERROR(ERRDOS,ERRnomem)); + } memcpy(params,smb_base(inbuf)+psoff,pscnt); } @@ -3560,7 +3565,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int if (strncmp(name,"\\PIPE\\",strlen("\\PIPE\\")) == 0) { DEBUG(5,("calling named_pipe\n")); - outsize = named_pipe(conn,vuid,outbuf,name+strlen("\\PIPE\\"),setup,data,params, + outsize = named_pipe(conn,vuid,outbuf, + name+strlen("\\PIPE\\"),setup,data,params, suwcnt,tdscnt,tpscnt,msrcnt,mdrcnt,mprcnt); } else { DEBUG(3,("invalid pipe name\n")); diff --git a/source3/utils/torture.c b/source3/utils/torture.c index 94c94966df..fb320e8b66 100644 --- a/source3/utils/torture.c +++ b/source3/utils/torture.c @@ -623,7 +623,7 @@ static void run_randomipc(void) for (i=0;i<1000;i++) { api = sys_random() % 500; - param_len = sys_random() % 64; + param_len = (sys_random() % 64) + 4; rand_buf(param, param_len); |