diff options
author | Luke Leighton <lkcl@samba.org> | 1998-10-20 18:27:49 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1998-10-20 18:27:49 +0000 |
commit | 05a297e3a98c14360782af4ad0d851638fb5da9a (patch) | |
tree | 9c7ddfb8ba98f399fe8a7debb444ce6ccdae8e4e /source/smbd/ipc.c | |
parent | 06cc6eaa50fa4b673d527e91740f9d2d2b16d367 (diff) | |
download | samba-05a297e3a98c14360782af4ad0d851638fb5da9a.tar.gz samba-05a297e3a98c14360782af4ad0d851638fb5da9a.tar.xz samba-05a297e3a98c14360782af4ad0d851638fb5da9a.zip |
some quite important bug-fixes i missed because i transferred the wrong
smb.tgz file from my portable.
particularly the call to mem_data followed by a realloc of that data in
cli_pipe.c's rpc_read() function.
smbd responses now use p->rdata_i which is a faked-up pointer into
p->rdata's response data. rdata can be very long; rdata_i is limited
to point to no more than max_tsize - 0x18 in length. this will make
it an almost trivial task to add the encrypted rpc headers after
rdata_i, and mem_buf_copy will cope admirably with rhdr chained to
rdata_i chained to auth_verifier etc etc...
Diffstat (limited to 'source/smbd/ipc.c')
-rw-r--r-- | source/smbd/ipc.c | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 2b8b8698db4..3e697a59ce5 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -3101,6 +3101,7 @@ static void api_rpc_trans_reply(char *outbuf, /* all of data was sent: no need to wait for SMBreadX calls */ mem_free_data(p->rhdr .data); mem_free_data(p->rdata.data); + mem_free_data(p->rdata_i.data); } } @@ -3190,20 +3191,12 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, int subcommand; pipes_struct *p = NULL; prs_struct pd; - struct mem_buf data_buf; DEBUG(5,("api_fd_reply\n")); - /* fake up a data buffer from the api_fd_reply data parameters */ - mem_create(&data_buf, data, tdscnt, 0, False); - data_buf.offset.start = 0; - data_buf.offset.end = tdscnt; - - /* fake up a parsing structure */ - pd.data = &data_buf; - pd.align = 4; - pd.io = True; - pd.offset = 0; + /* make a static data parsing structure from the api_fd_reply data */ + prs_init(&pd, 0, 4, True, 0); + mem_create(pd.data, data, 0, tdscnt, 0, False); /* First find out the name of this file. */ if (suwcnt != 2) @@ -3259,6 +3252,8 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum)); } + mem_free_data(pd.data); + if (!reply) { return api_no_reply(outbuf, mdrcnt); @@ -3410,14 +3405,8 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data &rdata,&rparam,&rdata_len,&rparam_len); - mem_create(&rdata_buf , rdata , rdata_len , 0, False); - mem_create(&rparam_buf, rparam, rparam_len, 0, False); - - rdata_buf.offset.start = 0; - rdata_buf.offset.end = rdata_len; - - rparam_buf.offset.start = 0; - rparam_buf.offset.end = rparam_len; + mem_create(&rdata_buf , rdata , 0, rdata_len , 0, False); + mem_create(&rparam_buf, rparam, 0, rparam_len, 0, False); /* now send the reply */ send_trans_reply(outbuf, &rdata_buf, &rparam_buf, NULL, 0, 0); |