From 056f24ce24ab395cb6fff15cb068c8d8b1affef9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 13 May 2010 15:59:09 -0700 Subject: Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values. The end_data argument to smbd_dirptr_lanman2_entry() must include the safety margin, as internally it's actually used to allow detection of string name pushes that were truncated. Ensure space_remaining can never go negative due to padding. Jeremy. --- source3/smbd/smb2_find.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/smbd/smb2_find.c') diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 66be7562e8..6690adcb93 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx, state->out_output_buffer.length = 0; pdata = (char *)state->out_output_buffer.data; base_data = pdata; - end_data = pdata + in_output_buffer_length; + /* + * end_data must include the safety margin as it's what is + * used to determine if pushed strings have been truncated. + */ + end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1; last_entry_off = 0; off = 0; num = 0; -- cgit