Fix crash when returning 1000 users to Win98 (tested - hurrah to JF !!).

Jermey.

3 files changed, 29 insertions, 23 deletions

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 1339c3a7563..1e0edf09b70 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -184,39 +184,44 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask)
 
 /*
  * This is a really ugly hack to make this interface work in the 2.2.x code. JRA.
+ * Return a malloced map so we can free it.
  */
 
 static int setup_fake_group_map(GROUP_MAP **ret_map)
 {
-	static GROUP_MAP map[2];
+	static GROUP_MAP static_map[2];
 	static BOOL group_map_init;
 	extern DOM_SID global_sam_sid;
 
+	*ret_map = (GROUP_MAP *)malloc(sizeof(GROUP_MAP)*2);
+	if (!ret_map)
+		return 2;
+	
 	if (group_map_init) {
-		*ret_map = &map[0];
-		return sizeof(map)/sizeof(GROUP_MAP);
+		memcpy( *ret_map, &static_map[0], sizeof(GROUP_MAP)*2);
+		return sizeof(static_map)/sizeof(GROUP_MAP);
 	}
 
 	group_map_init = True;
 
-	map[0].gid = (gid_t)-1;
-	sid_copy(&map[0].sid, &global_sam_sid);
-	sid_append_rid(&map[1].sid, DOMAIN_GROUP_RID_ADMINS);
-	map[0].sid_name_use = SID_NAME_DOM_GRP;
-	fstrcpy(map[0].nt_name, "Domain Admins");
-	fstrcpy(map[0].comment, "Administrators for the domain");
-	map[0].privilege = 0;
-
-	map[1].gid = (gid_t)-1;
-	sid_copy(&map[1].sid, &global_sam_sid);
-	sid_append_rid(&map[1].sid, DOMAIN_GROUP_RID_USERS);
-	map[1].sid_name_use = SID_NAME_DOM_GRP;
-	fstrcpy(map[1].nt_name, "Domain Users");
-	fstrcpy(map[1].comment, "Users in the domain");
-	map[1].privilege = 0;
-
-	*ret_map = &map[0];
-	return sizeof(map)/sizeof(GROUP_MAP);
+	static_map[0].gid = (gid_t)-1;
+	sid_copy(&static_map[0].sid, &global_sam_sid);
+	sid_append_rid(&static_map[1].sid, DOMAIN_GROUP_RID_ADMINS);
+	static_map[0].sid_name_use = SID_NAME_DOM_GRP;
+	fstrcpy(static_map[0].nt_name, "Domain Admins");
+	fstrcpy(static_map[0].comment, "Administrators for the domain");
+	static_map[0].privilege = 0;
+
+	static_map[1].gid = (gid_t)-1;
+	sid_copy(&static_map[1].sid, &global_sam_sid);
+	sid_append_rid(&static_map[1].sid, DOMAIN_GROUP_RID_USERS);
+	static_map[1].sid_name_use = SID_NAME_DOM_GRP;
+	fstrcpy(static_map[1].nt_name, "Domain Users");
+	fstrcpy(static_map[1].comment, "Users in the domain");
+	static_map[1].privilege = 0;
+
+	memcpy( *ret_map, &static_map[0], sizeof(GROUP_MAP)*2);
+	return sizeof(static_map)/sizeof(GROUP_MAP);
 }
 
 static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
diff --git a/source/rpc_server/srv_srvsvc_nt.c b/source/rpc_server/srv_srvsvc_nt.c
index 47216d1c66d..de12df985c9 100644
--- a/source/rpc_server/srv_srvsvc_nt.c
+++ b/source/rpc_server/srv_srvsvc_nt.c
@@ -1830,7 +1830,7 @@ NTSTATUS _srv_net_disk_enum(pipes_struct *p, SRV_Q_NET_DISK_ENUM *q_u, SRV_R_NET
 
 	r_u->disk_enum_ctr.unknown = 0; 
 
-	r_u->disk_enum_ctr.disk_info_ptr = (uint32) r_u->disk_enum_ctr.disk_info;
+	r_u->disk_enum_ctr.disk_info_ptr = r_u->disk_enum_ctr.disk_info;
 
 	/*allow one DISK_INFO for null terminator*/
 
diff --git a/source/tdb/tdb.c b/source/tdb/tdb.c
index 16cda03a3c1..eab14cf5aeb 100644
--- a/source/tdb/tdb.c
+++ b/source/tdb/tdb.c
@@ -424,7 +424,8 @@ static tdb_off tdb_dump_record(TDB_CONTEXT *tdb, tdb_off offset)
 	}
 
 	if (tailer != rec.rec_len + sizeof(rec)) {
-		printf("ERROR: tailer does not match record! tailer=%u totalsize=%u\n", tailer, rec.rec_len + sizeof(rec));
+		printf("ERROR: tailer does not match record! tailer=%u totalsize=%u\n",
+				(unsigned)tailer, (unsigned)(rec.rec_len + sizeof(rec)));
 	}
 	return rec.next;
 }