From 35c65576f71bb95f1bda5909c3a3cf32665a0dd4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 May 1998 23:50:16 +0000
Subject: printing.c: Fixed overflow by one problem in LPRng. reply.c: Fixed
 password length modifiers to always be done          is none-encrypted mode
 used. This fixes Samba for          people who are using non-encrypted
 passwords with          security=server. Jeremy. (This used to be commit
 720b565349e3467bd81d6d863b9ac54237edd3cf)

---
 source3/printing/printing.c |  4 ++--
 source3/smbd/reply.c        | 32 +++++++++++++++++---------------
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index 1ffe9d00a9..2b9c0c7199 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -286,12 +286,12 @@ static time_t LPRng_time(fstring tok[],int pos)
 {
   time_t jobtime;
   struct tm *t;
-  char tmp_time[9];
+  fstring tmp_time;
 
   jobtime = time(NULL);         /* default case: take current time */
   t = localtime(&jobtime);
   t->tm_hour = atoi(tok[pos]);
-  StrnCpy(tmp_time,tok[pos],sizeof(tmp_time));
+  fstrcpy(tmp_time,tok[pos]);
   t->tm_min = atoi(tmp_time+3);
   t->tm_sec = atoi(tmp_time+6);
   jobtime = mktime(t);
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 4cde83cefe..5ed30a7e8f 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -516,6 +516,23 @@ int reply_sesssetup_and_X(char *inbuf,char *outbuf,int length,int bufsize)
     passlen1 = MIN(passlen1, MAX_PASS_LEN);
     passlen2 = MIN(passlen2, MAX_PASS_LEN);
 
+    if(!doencrypt) {
+       /* both Win95 and WinNT stuff up the password lengths for
+          non-encrypting systems. Uggh. 
+      
+          if passlen1==24 its a win95 system, and its setting the
+          password length incorrectly. Luckily it still works with the
+          default code because Win95 will null terminate the password
+          anyway 
+
+          if passlen1>0 and passlen2>0 then maybe its a NT box and its
+          setting passlen2 to some random value which really stuffs
+          things up. we need to fix that one.  */
+
+      if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 && passlen2 != 1)
+        passlen2 = 0;
+    }
+
     if(doencrypt || ((lp_security() == SEC_SERVER) || (lp_security() == SEC_DOMAIN))) {
       /* Save the lanman2 password and the NT md4 password. */
       smb_apasslen = passlen1;
@@ -525,21 +542,6 @@ int reply_sesssetup_and_X(char *inbuf,char *outbuf,int length,int bufsize)
       memcpy(smb_ntpasswd,p+passlen1,smb_ntpasslen);
       smb_ntpasswd[smb_ntpasslen] = 0;
     } else {
-      /* both Win95 and WinNT stuff up the password lengths for
-	 non-encrypting systems. Uggh. 
-      
-	 if passlen1==24 its a win95 system, and its setting the
-	 password length incorrectly. Luckily it still works with the
-	 default code because Win95 will null terminate the password
-	 anyway 
-
-	 if passlen1>0 and passlen2>0 then maybe its a NT box and its
-	 setting passlen2 to some random value which really stuffs
-	 things up. we need to fix that one.  */
-      if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 &&
-	  passlen2 != 1) {
-	passlen2 = 0;
-      }
       /* we use the first password that they gave */
       smb_apasslen = passlen1;
       StrnCpy(smb_apasswd,p,smb_apasslen);      
-- 
cgit