off-by-one error in RNetShareEnum

Andrew Bartlett abartlet at
Mon Oct 7 07:29:00 GMT 2002

Steve Langasek wrote:
> The attached patch fixes an annoying, but not dangerous, off-by-one
> error in the RNetShareEnum in smbd/lanman.c.  push_ascii() already takes
> into account the null termination, so subtracting one from the size of
> the destination buffer leaves us one byte short for the full string.
> Although the truncation doesn't seem to matter much for the clients I've
> tested with, applying this patch certainly eliminates a lot of noise
> from the logfiles.

Generally considered 'a good thing' :-) 

> Also, any time I give a password longer than 14 characters to smbclient,
> I get the same warning about truncated strings:
> convert_string: Required 28, available 15
> This is due to the usage of push_ascii() in
> libsmb/smbencrypt.c:E_deshash().  Since the return value of push_ascii()
> is discarded, I assume the error is also not fatal; so it seems to me
> that before 3.0 is released, this debug statement ought to be reduced in
> severity.

I'll fix this one up.  We should probably push into an fstring, then
copy the first 14 chars.  I think the LM hash is meant to be truncated
at 14, not null terminated, but I'll double-check.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list