[PATCH] Fix bug #10100 - rpcclient crashes when sending the 'netshareenum 502' command
Michael Adam
obnox at samba.org
Wed Aug 21 07:36:25 MDT 2013
Pushed to autobuild.
Reviewing the code, I found another similar case.
I don't know if level 1 (instead of 502) suffers from
the same potential problem, but attached find a patch
that fixes smbtree.
Cheers - Michael
On 2013-08-20 at 10:58 -0700, Jeremy Allison wrote:
> On Tue, Aug 20, 2013 at 10:57:24AM -0700, Jeremy Allison wrote:
> > We are using the wrong variable for the returned count.
> > Reported by <pisymbol at gmail.com> who has also confirmed
> > the fix.
> >
> > Please review and apply.
> >
> > Cheers,
> >
> > Jeremy.
>
> Doh. Now with added patch (sorry :-).
>
> Jeremy.
> From ac8a2abb1d3593eecd075dc4e362b0dec3dc9e2b Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Tue, 20 Aug 2013 10:55:27 -0700
> Subject: [PATCH] Fix bug #10100 - rpcclient crashes when sending the
> 'netshareenum 502' command
>
> We are using the wrong variable for the returned count.
> Reported by <pisymbol at gmail.com>.
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> ---
> source3/rpcclient/cmd_srvsvc.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/source3/rpcclient/cmd_srvsvc.c b/source3/rpcclient/cmd_srvsvc.c
> index 0d67639..e5fa065 100644
> --- a/source3/rpcclient/cmd_srvsvc.c
> +++ b/source3/rpcclient/cmd_srvsvc.c
> @@ -273,6 +273,7 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli,
> WERROR result;
> NTSTATUS status;
> uint32_t totalentries = 0;
> + uint32_t count = 0;
> uint32_t resume_handle = 0;
> uint32_t *resume_handle_p = NULL;
> uint32 preferred_len = 0xffffffff, i;
> @@ -374,15 +375,18 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli,
>
> switch (info_level) {
> case 1:
> - for (i = 0; i < totalentries; i++)
> + count = info_ctr.ctr.ctr1->count;
> + for (i = 0; i < count; i++)
> display_share_info_1(&info_ctr.ctr.ctr1->array[i]);
> break;
> case 2:
> - for (i = 0; i < totalentries; i++)
> + count = info_ctr.ctr.ctr2->count;
> + for (i = 0; i < count; i++)
> display_share_info_2(&info_ctr.ctr.ctr2->array[i]);
> break;
> case 502:
> - for (i = 0; i < totalentries; i++)
> + count = info_ctr.ctr.ctr502->count;
> + for (i = 0; i < count; i++)
> display_share_info_502(&info_ctr.ctr.ctr502->array[i]);
> break;
> default:
> --
> 1.8.3
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-smbtree-use-the-correct-count-variable-from-NetShare.patch
Type: text/x-diff
Size: 889 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130821/9154f0be/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130821/9154f0be/attachment.pgp>
More information about the samba-technical
mailing list