From 61b37c73eeff8548c63df76e7d650c27746ca720 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 20 Nov 2007 15:31:18 -0800
Subject: Paranoia check that space_remaining never goes -ve. Jeremy. (This
 used to be commit 76f9c0b2dccffbff7cbf98aa63f50b48ad7cb9cb)

---
 source3/smbd/trans2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'source3/smbd/trans2.c')

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index bb24db9ee1..323d78cde1 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1371,7 +1371,9 @@ static bool get_lanman2_dir_entry(TALLOC_CTX *ctx,
 			SSVAL(p,20,mode);
 			p += 23;
 			nameptr = p;
-			p += align_string(pdata, p, 0);
+			if (flags2 & FLAGS2_UNICODE_STRINGS) {
+				p += ucs2_align(base_data, p, 0);
+			}
 			len = srvstr_push(base_data, flags2, p,
 					  fname, PTR_DIFF(end_data, p),
 					  STR_TERMINATE);
@@ -2022,7 +2024,13 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 		if(got_exact_match)
 			finished = True;
 
-		space_remaining = max_data_bytes - PTR_DIFF(p,pdata);
+		/* Ensure space_remaining never goes -ve. */
+		if (PTR_DIFF(p,pdata) > max_data_bytes) {
+			space_remaining = 0;
+			out_of_space = true;
+		} else {
+			space_remaining = max_data_bytes - PTR_DIFF(p,pdata);
+		}
 	}
 
 	/* Check if we can close the dirptr */
-- 
cgit