summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/libsmb/clientgen.c6
-rw-r--r--source3/smbd/ipc.c26
-rw-r--r--source3/utils/torture.c2
3 files changed, 20 insertions, 14 deletions
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index d454cbdd3c..8aa857df8a 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -432,9 +432,9 @@ BOOL cli_NetWkstaUserLogon(struct cli_state *cli,char *user, char *workstation)
pstrcpy(p,user);
strupper(p);
p += 21;
- p++;
- p += 15;
- p++;
+ p++;
+ p += 15;
+ p++;
pstrcpy(p, workstation);
strupper(p);
p += 16;
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index c647a5de3e..0c4d0d5bfe 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -3348,7 +3348,7 @@ struct
static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data,char *params,
int tdscnt,int tpscnt,int mdrcnt,int mprcnt)
{
- int api_command = SVAL(params,0);
+ int api_command;
struct mem_buf rdata_buf;
struct mem_buf rparam_buf;
char *rdata = NULL;
@@ -3358,8 +3358,14 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data
BOOL reply=False;
int i;
+ SMB_ASSERT(params != 0);
+
+ api_command = SVAL(params,0);
+
DEBUG(3,("Got API command %d of form <%s> <%s> (tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n",
- api_command,params+2,skip_string(params+2,1),
+ api_command,
+ params+2,
+ skip_string(params+2,1),
tdscnt,tpscnt,mdrcnt,mprcnt));
for (i=0;api_commands[i].name;i++)
@@ -3448,7 +3454,6 @@ static int named_pipe(connection_struct *conn,uint16 vuid, char *outbuf,char *na
int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int bufsize)
{
fstring name;
-
char *data=NULL,*params=NULL;
uint16 *setup=NULL;
int outsize = 0;
@@ -3475,17 +3480,17 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
if (tdscnt) {
if((data = (char *)malloc(tdscnt)) == NULL) {
- DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
- return(ERROR(ERRDOS,ERRnomem));
- }
+ DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
+ return(ERROR(ERRDOS,ERRnomem));
+ }
memcpy(data,smb_base(inbuf)+dsoff,dscnt);
}
if (tpscnt) {
if((params = (char *)malloc(tpscnt)) == NULL) {
- DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
- return(ERROR(ERRDOS,ERRnomem));
- }
+ DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
+ return(ERROR(ERRDOS,ERRnomem));
+ }
memcpy(params,smb_base(inbuf)+psoff,pscnt);
}
@@ -3560,7 +3565,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
if (strncmp(name,"\\PIPE\\",strlen("\\PIPE\\")) == 0) {
DEBUG(5,("calling named_pipe\n"));
- outsize = named_pipe(conn,vuid,outbuf,name+strlen("\\PIPE\\"),setup,data,params,
+ outsize = named_pipe(conn,vuid,outbuf,
+ name+strlen("\\PIPE\\"),setup,data,params,
suwcnt,tdscnt,tpscnt,msrcnt,mdrcnt,mprcnt);
} else {
DEBUG(3,("invalid pipe name\n"));
diff --git a/source3/utils/torture.c b/source3/utils/torture.c
index 94c94966df..fb320e8b66 100644
--- a/source3/utils/torture.c
+++ b/source3/utils/torture.c
@@ -623,7 +623,7 @@ static void run_randomipc(void)
for (i=0;i<1000;i++) {
api = sys_random() % 500;
- param_len = sys_random() % 64;
+ param_len = (sys_random() % 64) + 4;
rand_buf(param, param_len);