From bc98d004c9dc22ff1438bfd1d9ddeaca5a3f6179 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 6 Jul 2011 13:04:26 +0200
Subject: s3:libsmb: don't use cli->inbuf in cli_dfs_get_referral()

The rdata buffer returned by cli_trans() doesn't belong to
cli->inbuf, so don't use it.

metze
---
 source3/libsmb/clidfs.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 8df5423664..2287812c18 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -608,7 +608,8 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
 {
 	unsigned int data_len = 0;
 	unsigned int param_len = 0;
-	uint16 setup[1];
+	uint16_t setup[1];
+	uint16_t recv_flags2;
 	uint8_t *param = NULL;
 	uint8_t *rdata = NULL;
 	char *p;
@@ -643,7 +644,7 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
 			   setup, 1, 0,
 			   param, param_len, 2,
 			   NULL, 0, cli->max_xmit,
-			   NULL,
+			   &recv_flags2,
 			   NULL, 0, NULL, /* rsetup */
 			   NULL, 0, NULL,
 			   &rdata, 4, &data_len);
@@ -720,11 +721,12 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
 				status = NT_STATUS_INVALID_NETWORK_RESPONSE;
 				goto out;
 			}
-			clistr_pull_talloc(ctx, cli->inbuf,
-					   SVAL(cli->inbuf, smb_flg2),
+			clistr_pull_talloc(referrals,
+					   (const char *)rdata,
+					   recv_flags2,
 					   &referrals[i].dfspath,
 					   p+node_offset,
-					   cli->bufsize - ((p+node_offset)-cli->inbuf),
+					   PTR_DIFF(endp, p+node_offset),
 					   STR_TERMINATE|STR_UNICODE);
 
 			if (!referrals[i].dfspath) {
-- 
cgit