r4383: in order to cope with overfilled buffers on trans2 findfirst we need to use...
authorAndrew Tridgell <tridge@samba.org>
Tue, 28 Dec 2004 23:28:02 +0000 (23:28 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:07:41 +0000 (13:07 -0500)
in trans2 fill code, even though the packets themselves can only use 16 bit lengths. This prevents
the overflow detection code from failing due to 16 bit length wrap.
(This used to be commit 5cd74c22e99bc78e1f3ddf3f098790c4b4b87b4f)

source4/smb_server/trans2.c

index 2f2629a3ea06fbc3761fbc3774644f3541535cba..8aa60daa6df43d7028caa215b94fa73477eaf74b 100644 (file)
@@ -119,8 +119,8 @@ static size_t trans2_pull_blob_string(struct smbsrv_request *req,
 */
 static size_t trans2_push_data_string(struct smbsrv_request *req, 
                                      struct smb_trans2 *trans,
 */
 static size_t trans2_push_data_string(struct smbsrv_request *req, 
                                      struct smb_trans2 *trans,
-                                     uint16_t len_offset,
-                                     uint16_t offset,
+                                     uint32_t len_offset,
+                                     uint32_t offset,
                                      const WIRE_STRING *str,
                                      int dest_len,
                                      int flags)
                                      const WIRE_STRING *str,
                                      int dest_len,
                                      int flags)
@@ -193,7 +193,7 @@ static void trans2_append_data_string(struct smbsrv_request *req,
                                        int flags)
 {
        size_t ret;
                                        int flags)
 {
        size_t ret;
-       uint16_t offset;
+       uint32_t offset;
        const int max_bytes_per_char = 3;
 
        offset = trans->out.data.length;
        const int max_bytes_per_char = 3;
 
        offset = trans->out.data.length;
@@ -718,7 +718,7 @@ static NTSTATUS trans2_fileinfo_fill(struct smbsrv_request *req, struct smb_tran
                SSVAL(trans->out.params.data, 0, 0);
 
                for (i=0;i<st->stream_info.out.num_streams;i++) {
                SSVAL(trans->out.params.data, 0, 0);
 
                for (i=0;i<st->stream_info.out.num_streams;i++) {
-                       uint16_t data_size = trans->out.data.length;
+                       uint32_t data_size = trans->out.data.length;
                        uint8_t *data;
 
                        trans2_grow_data(req, trans, data_size + 24);
                        uint8_t *data;
 
                        trans2_grow_data(req, trans, data_size + 24);
@@ -1277,7 +1277,8 @@ static NTSTATUS trans2_findfirst(struct smbsrv_request *req, struct smb_trans2 *
                }
        }
 
                }
        }
 
-       /* setup the private state structure that the backend will give us in the callback */
+       /* setup the private state structure that the backend will
+          give us in the callback */
        state.req = req;
        state.trans = trans;
        state.level = search.t2ffirst.level;
        state.req = req;
        state.trans = trans;
        state.level = search.t2ffirst.level;