svn commit: samba r24327 - in branches/SAMBA_3_2/source/smbd: .
vlendec at samba.org
vlendec at samba.org
Sat Aug 11 14:37:40 GMT 2007
Author: vlendec
Date: 2007-08-11 14:37:39 +0000 (Sat, 11 Aug 2007)
New Revision: 24327
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24327
Log:
First round of fixes to chain_reply
The argument to smb_setlen does not contain the nbt header of 4 bytes
The chained function might allocate outbuf itself (as now happens with
reply_read_and_X). This would erroneously overwrite the caller's outbuf.
Give it an outbuf pointer of it's own
Modified:
branches/SAMBA_3_2/source/smbd/process.c
Changeset:
Modified: branches/SAMBA_3_2/source/smbd/process.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/process.c 2007-08-11 11:50:53 UTC (rev 24326)
+++ branches/SAMBA_3_2/source/smbd/process.c 2007-08-11 14:37:39 UTC (rev 24327)
@@ -1355,6 +1355,7 @@
int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
char *inbuf2;
+ char *outbuf2 = NULL;
int outsize2;
int new_size;
char inbuf_saved[smb_wct];
@@ -1435,7 +1436,7 @@
}
/* And set it in the header. */
- smb_setlen(inbuf, inbuf2, new_size);
+ smb_setlen(inbuf, inbuf2, new_size - 4);
DEBUG(3,("Chained message\n"));
show_msg(inbuf2);
@@ -1446,7 +1447,7 @@
init_smb_request(req, (uint8 *)inbuf2);
/* process the request */
- outsize2 = switch_message(smb_com2, req, &outbuf, new_size,
+ outsize2 = switch_message(smb_com2, req, &outbuf2, new_size,
bufsize-chain_size);
/*
@@ -1495,7 +1496,7 @@
*poutbuf = outbuf;
- memmove(outbuf + smb_wct + ofs, outbuf + smb_wct, to_move);
+ memmove(outbuf + smb_wct + ofs, outbuf2 + smb_wct, to_move);
memcpy(outbuf + smb_wct, caller_output, caller_outputlen);
/*
More information about the samba-cvs
mailing list