From 056f24ce24ab395cb6fff15cb068c8d8b1affef9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 13 May 2010 15:59:09 -0700
Subject: Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.

The end_data argument to smbd_dirptr_lanman2_entry() must include
the safety margin, as internally it's actually used to allow detection
of string name pushes that were truncated. Ensure space_remaining can
never go negative due to padding.

Jeremy.
---
 source3/smbd/trans2.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'source3/smbd/trans2.c')

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7fb90..3fa737f4b7 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 	off = (int)PTR_DIFF(pdata, base_data);
 	pad = (off + (align-1)) & ~(align-1);
 	pad -= off;
+
+	if (pad && pad > space_remaining) {
+		*out_of_space = true;
+		DEBUG(9,("smbd_marshall_dir_entry: out of space "
+			"for padding (wanted %u, had %d)\n",
+			(unsigned int)pad,
+			space_remaining ));
+		return false; /* Not finished - just out of space */
+	}
+
 	off += pad;
 	/* initialize padding to 0 */
 	if (pad) {
-- 
cgit