r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation

[tprouty/samba.git] / source / smbd / ipc.c

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 86d982b0227819f6fbafdb2add1f61568a222a91..9fcd39b5002caa932a0ebbcd3163ec055fa6d42f 100644 (file)
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -165,7 +165,7 @@ void send_trans_reply(char *outbuf,
 static BOOL api_rpc_trans_reply(char *outbuf, smb_np_struct *p)
 {
        BOOL is_data_outstanding;
-       char *rdata = malloc(p->max_trans_reply);
+       char *rdata = SMB_MALLOC(p->max_trans_reply);
        int data_len;
 
        if(rdata == NULL) {
@@ -293,7 +293,7 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
                return api_no_reply(outbuf, mdrcnt);
        }
 
-       DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)", subcommand, p->name, pnum));
+       DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n", subcommand, p->name, pnum));
 
        /* record maximum data length that can be transmitted in an SMBtrans */
        p->max_trans_reply = mdrcnt;
@@ -389,7 +389,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                goto bad_param;
   
        if (tdscnt)  {
-               if((data = (char *)malloc(tdscnt)) == NULL) {
+               if((data = (char *)SMB_MALLOC(tdscnt)) == NULL) {
                        DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
                        END_PROFILE(SMBtrans);
                        return(ERROR_DOS(ERRDOS,ERRnomem));
@@ -404,7 +404,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
        }
 
        if (tpscnt) {
-               if((params = (char *)malloc(tpscnt)) == NULL) {
+               if((params = (char *)SMB_MALLOC(tpscnt)) == NULL) {
                        DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
                        SAFE_FREE(data);
                        END_PROFILE(SMBtrans);
@@ -421,7 +421,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
 
        if (suwcnt) {
                unsigned int i;
-               if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+               if((setup = SMB_MALLOC_ARRAY(uint16,suwcnt)) == NULL) {
                        DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
                        SAFE_FREE(data);
                        SAFE_FREE(params);
@@ -445,6 +445,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                   of the parameter/data bytes */
                outsize = set_message(outbuf,0,0,True);
                show_msg(outbuf);
+               srv_signing_trans_stop();
                if (!send_smb(smbd_server_fd(),outbuf))
                        exit_server("reply_trans: send_smb failed.");
        }
@@ -456,6 +457,13 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
       
                ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
 
+               /*
+                * The sequence number for the trans reply is always
+                * based on the last secondary received.
+                */
+
+               srv_signing_trans_start(SVAL(inbuf,smb_mid));
+
                if ((ret && (CVAL(inbuf, smb_com) != SMBtranss)) || !ret) {
                        if(ret) {
                                DEBUG(0,("reply_trans: Invalid secondary trans packet\n"));
@@ -494,7 +502,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                        goto bad_param;
                
                if (pcnt) {
-                       if (pdisp+pcnt >= tpscnt)
+                       if (pdisp+pcnt > tpscnt)
                                goto bad_param;
                        if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
                                goto bad_param;
@@ -510,7 +518,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                }
 
                if (dcnt) {
-                       if (ddisp+dcnt >= tdscnt)
+                       if (ddisp+dcnt > tdscnt)
                                goto bad_param;
                        if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
                                goto bad_param;