[PATCH] Fix bug #10100 - rpcclient crashes when sending the 'netshareenum 502' command

Michael Adam obnox at samba.org
Wed Aug 21 07:36:25 MDT 2013 

Pushed to autobuild.

Reviewing the code, I found another similar case.
I don't know if level 1 (instead of 502) suffers from
the same potential problem, but attached find a patch
that fixes smbtree.

Cheers - Michael

On 2013-08-20 at 10:58 -0700, Jeremy Allison wrote:
> On Tue, Aug 20, 2013 at 10:57:24AM -0700, Jeremy Allison wrote:
> > We are using the wrong variable for the returned count.
> > Reported by <pisymbol at gmail.com> who has also confirmed
> > the fix.
> > 
> > Please review and apply.
> > 
> > Cheers,
> > 
> > 	Jeremy.
> 
> Doh. Now with added patch (sorry :-).
> 
> Jeremy.

> From ac8a2abb1d3593eecd075dc4e362b0dec3dc9e2b Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Tue, 20 Aug 2013 10:55:27 -0700
> Subject: [PATCH] Fix bug #10100 - rpcclient crashes when sending the
>  'netshareenum 502' command
> 
> We are using the wrong variable for the returned count.
> Reported by <pisymbol at gmail.com>.
> 
> Signed-off-by: Jeremy Allison <jra at samba.org>
> ---
>  source3/rpcclient/cmd_srvsvc.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/source3/rpcclient/cmd_srvsvc.c b/source3/rpcclient/cmd_srvsvc.c
> index 0d67639..e5fa065 100644
> --- a/source3/rpcclient/cmd_srvsvc.c
> +++ b/source3/rpcclient/cmd_srvsvc.c
> @@ -273,6 +273,7 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli,
>  	WERROR result;
>  	NTSTATUS status;
>  	uint32_t totalentries = 0;
> +	uint32_t count = 0;
>  	uint32_t resume_handle = 0;
>  	uint32_t *resume_handle_p = NULL;
>  	uint32 preferred_len = 0xffffffff, i;
> @@ -374,15 +375,18 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli,
>  
>  	switch (info_level) {
>  	case 1:
> -		for (i = 0; i < totalentries; i++)
> +		count = info_ctr.ctr.ctr1->count;
> +		for (i = 0; i < count; i++)
>  			display_share_info_1(&info_ctr.ctr.ctr1->array[i]);
>  		break;
>  	case 2:
> -		for (i = 0; i < totalentries; i++)
> +		count = info_ctr.ctr.ctr2->count;
> +		for (i = 0; i < count; i++)
>  			display_share_info_2(&info_ctr.ctr.ctr2->array[i]);
>  		break;
>  	case 502:
> -		for (i = 0; i < totalentries; i++)
> +		count = info_ctr.ctr.ctr502->count;
> +		for (i = 0; i < count; i++)
>  			display_share_info_502(&info_ctr.ctr.ctr502->array[i]);
>  		break;
>  	default:
> -- 
> 1.8.3
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-smbtree-use-the-correct-count-variable-from-NetShare.patch
Type: text/x-diff
Size: 889 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130821/9154f0be/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130821/9154f0be/attachment.pgp>

More information about the samba-technical mailing list