fix smb_len calculation for chained requests

I think chain_reply() is one of the most tricky parts of Samba. This recursion
needs to go away, we need to sequentially walk the chain list.

diff --git a/source/smbd/process.c b/source/smbd/process.c
index 1771f552cc25247d0b5f3d50f3619a5bb404de97..4989c8fdfde65324bc4c0b3cbd6bde4a76a7b948 100644 (file)
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1636,6 +1636,7 @@ void chain_reply(struct smb_request *req)
        char *outbuf = (char *)req->outbuf;
        size_t outsize = smb_len(outbuf) + 4;
        size_t outsize_padded;
+       size_t padding;
        size_t ofs, to_move;
 
        struct smb_request *req2;
@@ -1674,6 +1675,7 @@ void chain_reply(struct smb_request *req)
         */
 
        outsize_padded = (outsize + 3) & ~3;
+       padding = outsize_padded - outsize;
 
        /*
         * remember how much the caller added to the chain, only counting
@@ -1787,17 +1789,17 @@ void chain_reply(struct smb_request *req)
        SCVAL(outbuf, smb_vwv0, smb_com2);
        SSVAL(outbuf, smb_vwv1, chain_size + smb_wct - 4);
 
-       if (outsize_padded > outsize) {
+       if (padding != 0) {
 
                /*
                 * Due to padding we have some uninitialized bytes after the
                 * caller's output
                 */
 
-               memset(outbuf + outsize, 0, outsize_padded - outsize);
+               memset(outbuf + outsize, 0, padding);
        }
 
-       smb_setlen(outbuf, outsize2 + chain_size - 4);
+       smb_setlen(outbuf, outsize2 + caller_outputlen + padding - 4);
 
        /*
         * restore the saved data, being careful not to overwrite any data