From afd637e926c70f9ca88d8e85ea2c684032962bc9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 3 Apr 2007 04:52:09 +0000
Subject: r22050: Fix a couple of off-by-one errors in the rap call patch.
 Jerry, this works now for displaying shares on Win9x (and hopefully
 everything else as well :-). Jeremy. (This used to be commit
 728a4cc71376f9cfff2578d21a47602f8b7c6531)

---
 source3/smbd/lanman.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'source3/smbd/lanman.c')

diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 0ef6fe1c47..4ca9a4b051 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2365,7 +2365,11 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid,
 
 	memset(pass1,'\0',sizeof(pass1));
 	memset(pass2,'\0',sizeof(pass2));
-	if (!is_offset_safe(param,tpscnt,p,32)) {
+	/*
+	 * We use 31 here not 32 as we're checking
+	 * the last byte we want to access is safe.
+	 */
+	if (!is_offset_safe(param,tpscnt,p,31)) {
 		return False;
 	}
 	memcpy(pass1,p,16);
@@ -2537,7 +2541,11 @@ static BOOL api_RDosPrintJobDel(connection_struct *conn,uint16 vuid,
 	if (!str1 || !str2 || !p) {
 		return False;
 	}
-	if (!is_offset_safe(param,tpscnt,p,2)) {
+	/*
+	 * We use 1 here not 2 as we're checking
+	 * the last byte we want to access is safe.
+	 */
+	if (!is_offset_safe(param,tpscnt,p,1)) {
 		return False;
 	}
 	if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
@@ -2701,7 +2709,11 @@ static BOOL api_PrintJobInfo(connection_struct *conn, uint16 vuid,
 	if (!str1 || !str2 || !p) {
 		return False;
 	}
-	if (!is_offset_safe(param,tpscnt,p,2)) {
+	/*
+	 * We use 1 here not 2 as we're checking
+	 * the last byte we want to access is safe.
+	 */
+	if (!is_offset_safe(param,tpscnt,p,1)) {
 		return False;
 	}
 	if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
-- 
cgit