Fix bug 7399 - SMB2: QUERY_DIRECTORY is returning invalid values.

The end_data argument to smbd_dirptr_lanman2_entry() must include
the safety margin, as internally it's actually used to allow detection
of string name pushes that were truncated. Ensure space_remaining can
never go negative due to padding.

Jeremy.

diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 66be7562e8734f83749ee7f43d36d163017298f8..6690adcb93eaaa80438950a4f1eff817fe6c6ea2 100644 (file)
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -373,7 +373,11 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
        state->out_output_buffer.length = 0;
        pdata = (char *)state->out_output_buffer.data;
        base_data = pdata;
-       end_data = pdata + in_output_buffer_length;
+       /*
+        * end_data must include the safety margin as it's what is
+        * used to determine if pushed strings have been truncated.
+        */
+       end_data = pdata + in_output_buffer_length + DIR_ENTRY_SAFETY_MARGIN - 1;
        last_entry_off = 0;
        off = 0;
        num = 0;

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 5d51a7fb90267766ed3f54b06a0f279df0b6b589..3fa737f4b7e4b0587a7e2f65c19888763edc6608 100644 (file)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1523,6 +1523,16 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx,
        off = (int)PTR_DIFF(pdata, base_data);
        pad = (off + (align-1)) & ~(align-1);
        pad -= off;
+
+       if (pad && pad > space_remaining) {
+               *out_of_space = true;
+               DEBUG(9,("smbd_marshall_dir_entry: out of space "
+                       "for padding (wanted %u, had %d)\n",
+                       (unsigned int)pad,
+                       space_remaining ));
+               return false; /* Not finished - just out of space */
+       }
+
        off += pad;
        /* initialize padding to 0 */
        if (pad) {