From f04e37a630f8e7538d670d34db4ea7fc7c0b50a3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 4 Dec 2007 12:53:21 -0800
Subject: Fix crash bug with vl's new trans handling in old transs calls. Make
 this look like the (working) transs2 handling (replace inbuf, not write to
 outbuf - outbuf isn't allocated yet so you get a null deref). Jeremy.

---
 source/smbd/ipc.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'source')

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 0360417c564..eed293d50d4 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -752,7 +752,7 @@ void reply_transs(connection_struct *conn, struct smb_request *req)
 			goto bad_param;
 
 		memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
-		       dcnt);      
+		       dcnt);
 	}
 
 	if ((state->received_param < state->total_param) ||
@@ -761,10 +761,11 @@ void reply_transs(connection_struct *conn, struct smb_request *req)
 		return;
 	}
 
-	/* construct_reply_common has done us the favor to pre-fill the
-	 * command field with SMBtranss which is wrong :-)
-	 */
-	SCVAL(req->outbuf,smb_com,SMBtrans);
+        /*
+	 * construct_reply_common will copy smb_com from inbuf to
+	 * outbuf. SMBtranss is wrong here.
+         */
+        SCVAL(req->inbuf,smb_com,SMBtrans);
 
 	handle_trans(conn, req, state);
 
-- 
cgit