From c7fe434d48fb52a7db18405004da03e479aec8d4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 17 Feb 2015 20:18:37 +0000
Subject: lib: Use iov_buflen in smb1cli_req_create

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 libcli/smb/smbXcli_base.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'libcli')

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b9c3c8b836..ba00e96219 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -1266,6 +1266,7 @@ struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
 	uint16_t flags2 = 0;
 	uint16_t uid = 0;
 	uint16_t tid = 0;
+	ssize_t num_bytes;
 
 	if (iov_count > MAX_SMB_IOV) {
 		/*
@@ -1337,7 +1338,17 @@ struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
 
 	state->smb1.vwv = vwv;
 
-	SSVAL(state->smb1.bytecount_buf, 0, smbXcli_iov_len(bytes_iov, iov_count));
+	num_bytes = iov_buflen(bytes_iov, iov_count);
+	if (num_bytes == -1) {
+		/*
+		 * I'd love to add a check for num_bytes<=UINT16_MAX here, but
+		 * the smbclient->samba connections can lie and transfer more.
+		 */
+		TALLOC_FREE(req);
+		return NULL;
+	}
+
+	SSVAL(state->smb1.bytecount_buf, 0, num_bytes);
 
 	state->smb1.iov[0].iov_base = (void *)state->length_hdr;
 	state->smb1.iov[0].iov_len  = sizeof(state->length_hdr);
-- 
cgit