diff options
Diffstat (limited to 'source3/smbd/reply.c')
-rw-r--r-- | source3/smbd/reply.c | 47 |
1 files changed, 23 insertions, 24 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 30b90a6459..e4fbc839ff 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3289,35 +3289,39 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) START_PROFILE(SMBwriteX); - if (!reply_prep_legacy(req, &inbuf, &outbuf, &length, &bufsize)) { - reply_nterror(req, NT_STATUS_NO_MEMORY); + if ((req->wct != 12) && (req->wct != 14)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBwriteX); return; } - if ((CVAL(inbuf, smb_wct) != 12) && (CVAL(inbuf, smb_wct) != 14)) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + numtowrite = SVAL(req->inbuf,smb_vwv10); + smb_doff = SVAL(req->inbuf,smb_vwv11); + smblen = smb_len(req->inbuf); + large_writeX = ((req->wct == 14) && (smblen > 0xFFFF)); + + /* Deal with possible LARGE_WRITEX */ + if (large_writeX) { + numtowrite |= ((((size_t)SVAL(req->inbuf,smb_vwv9)) & 1 )<<16); + } + + if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { + reply_doserror(req, ERRDOS, ERRbadmem); END_PROFILE(SMBwriteX); return; } - fsp = file_fsp(SVAL(inbuf,smb_vwv2)); - startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); - numtowrite = SVAL(inbuf,smb_vwv10); - write_through = BITSETW(inbuf+smb_vwv7,0); - smb_doff = SVAL(inbuf,smb_vwv11); - smblen = smb_len(inbuf); - large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF)); - /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { - reply_post_legacy( - req, - reply_pipe_write_and_X(inbuf,outbuf,length,bufsize)); + reply_pipe_write_and_X(req); END_PROFILE(SMBwriteX); return; } + fsp = file_fsp(SVAL(req->inbuf,smb_vwv2)); + startpos = IVAL_TO_SMB_OFF_T(req->inbuf,smb_vwv3); + write_through = BITSETW(req->inbuf+smb_vwv7,0); + if (!check_fsp(conn, req, fsp, ¤t_user)) { END_PROFILE(SMBwriteX); return; @@ -3329,19 +3333,14 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req) return; } - set_message(inbuf, outbuf, 6, 0, True); - - /* Deal with possible LARGE_WRITEX */ - if (large_writeX) { - numtowrite |= ((((size_t)SVAL(inbuf,smb_vwv9)) & 1 )<<16); - } - - if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) { - reply_doserror(req, ERRDOS, ERRbadmem); + if (!reply_prep_legacy(req, &inbuf, &outbuf, &length, &bufsize)) { + reply_nterror(req, NT_STATUS_NO_MEMORY); END_PROFILE(SMBwriteX); return; } + set_message(inbuf, outbuf, 6, 0, True); + data = smb_base(inbuf) + smb_doff; if(CVAL(inbuf,smb_wct) == 14) { |