diff options
| author | Jeremy Allison <jra@samba.org> | 2010-02-09 15:23:38 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2010-02-24 16:25:10 +0100 |
| commit | 07e9144aab08e26a61016c76eb7afb1f9dbec7e4 (patch) | |
| tree | 39af180aa35b7b37ad26ff8c78036ab8b1374bb3 | |
| parent | 56c764a2d168a8cd3627e7d551e5eb802af48756 (diff) | |
| download | samba-07e9144aab08e26a61016c76eb7afb1f9dbec7e4.tar.gz samba-07e9144aab08e26a61016c76eb7afb1f9dbec7e4.tar.xz samba-07e9144aab08e26a61016c76eb7afb1f9dbec7e4.zip | |
Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
This patch fixes both.
Jeremy.
(similar to commit b07a14dc37d2899f662e1cf87064f99c0bd10b25)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit de658f95ea12d4c532f309634b9aedb09c5e4d1d)
| -rw-r--r-- | source/smbd/ipc.c | 3 | ||||
| -rw-r--r-- | source/smbd/lanman.c | 4 |
2 files changed, 5 insertions, 2 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 5c9f9f63d90..8b6c88bbd4e 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -163,6 +163,9 @@ void send_trans_reply(connection_struct *conn, const uint8_t *inbuf, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); + SSVAL(outbuf,smb_vwv0,lparam); + SSVAL(outbuf,smb_vwv1,ldata); + SSVAL(outbuf,smb_vwv3,this_lparam); SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf)); SSVAL(outbuf,smb_vwv5,tot_param_sent); diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c index bc1cb953f10..29566d1763b 100644 --- a/source/smbd/lanman.c +++ b/source/smbd/lanman.c @@ -1456,7 +1456,7 @@ static bool api_RNetServerEnum(connection_struct *conn, uint16 vuid, DEBUG(4,("fill_srv_info %20s %8x %25s %15s\n", s->name, s->type, s->comment, s->domain)); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; @@ -1820,7 +1820,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid, if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) { total++; data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; |