Fix for client generated core-dump bug where offset to readraw

was so large that when used with -DUSE_MMAP it caused the unsigned
subtraction to wrap aound and become positive - thus causing
a silly memcpy offset. Thanks to "Michael St. Laurent" <rowl@earthlink.net>
for giving me the core dump that allowed me to track this one
down.
Jeremy.
(This used to be commit c9e066037ab222472085c4a0ecc8a39b337ad2aa)

diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 08cf013920b65962cde74a3d2f1c157a0ca2555d..39580d008d4c3ab067c305a1185270be697415a3 100644 (file)
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -2058,7 +2058,8 @@ int read_file(int fnum,char *data,uint32 pos,int n)
 #if USE_MMAP
   if (Files[fnum].mmap_ptr)
     {
-      int num = MIN(n,(int)(Files[fnum].mmap_size-pos));
+      int num = (Files[fnum].mmap_size > pos) ? (Files[fnum].mmap_size - pos) : -1;
+      num = MIN(n,num);
       if (num > 0)
        {
          memcpy(data,Files[fnum].mmap_ptr+pos,num);