From 231124ced9237cdbc3732a722c8f373ee760927b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Oct 2003 21:28:00 +0000
Subject: Fixes to check for wraps which could cause coredumps. Jeremy. (This
 used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)

---
 source3/smbd/reply.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'source3/smbd/reply.c')

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 011186ba89..3752507493 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -669,10 +669,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
 	time_t date;
 	int dirtype;
 	int outsize = 0;
-	int numentries = 0;
+	unsigned int numentries = 0;
+	unsigned int maxentries = 0;
 	BOOL finished = False;
-	int maxentries;
-	int i;
 	char *p;
 	BOOL ok = False;
 	int status_len;
@@ -786,6 +785,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
 					numentries = 0;
 				p += DIR_STRUCT_SIZE;
 			} else {
+				unsigned int i;
+				maxentries = MIN(maxentries, ((BUFFER_SIZE - (p - outbuf))/DIR_STRUCT_SIZE));
+
 				DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n",
 				conn->dirpath,lp_dontdescend(SNUM(conn))));
 				if (in_list(conn->dirpath, lp_dontdescend(SNUM(conn)),True))
@@ -845,7 +847,7 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
 	if ((! *directory) && dptr_path(dptr_num))
 		slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
 
-	DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%d of %d\n",
+	DEBUG( 4, ( "%s mask=%s path=%s dtype=%d nument=%u of %u\n",
 		smb_fn_name(CVAL(inbuf,smb_com)), 
 		mask, directory, dirtype, numentries, maxentries ) );
 
-- 
cgit