if((namerec = find_name_on_subnet( subrec, &nmbname, FIND_SELF_NAME))!=NULL)
{
struct userdata_struct *userdata;
- int size = sizeof(struct userdata_struct) + sizeof(BOOL);
+ size_t size = sizeof(struct userdata_struct) + sizeof(BOOL);
if((userdata = (struct userdata_struct *)malloc(size)) == NULL)
{
void become_local_master_browser(struct subnet_record *subrec, struct work_record *work)
{
struct userdata_struct *userdata;
- int size = sizeof(struct userdata_struct) + sizeof(fstring) + 1;
+ size_t size = sizeof(struct userdata_struct) + sizeof(fstring) + 1;
/* Sanity check. */
if (!lp_local_master())
userdata->copy_fn = NULL;
userdata->free_fn = NULL;
userdata->userdata_len = strlen(work->work_group)+1;
- fstrcpy(userdata->data, work->work_group);
+ overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1);
/* Register the special browser group name. */
register_name(subrec, MSBROWSE, 0x01, samba_nb_type|NB_GROUP,
struct work_record *work;
struct nmb_name nmbname;
struct userdata_struct *userdata;
- int size = sizeof(struct userdata_struct) + sizeof(fstring)+1;
+ size_t size = sizeof(struct userdata_struct) + sizeof(fstring)+1;
if( !(work = find_workgroup_on_subnet(subrec, q_name->name)) )
{
userdata->copy_fn = NULL;
userdata->free_fn = NULL;
userdata->userdata_len = strlen(work->work_group)+1;
- fstrcpy(userdata->data, work->work_group);
+ overmalloc_safe_strcpy(userdata->data, work->work_group, size - sizeof(*userdata) - 1);
node_status( subrec, &nmbname, answer_ip,
domain_master_node_status_success,
/****************************************************************************
Construct and send a netbios DGRAM.
**************************************************************************/
-BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf,int len,
+BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
const char *srcname, int src_type,
const char *dstname, int dest_type,
struct in_addr dest_ip,struct in_addr src_ip,
SSVAL(ptr,smb_vwv15,1);
SSVAL(ptr,smb_vwv16,2);
p2 = smb_buf(ptr);
- pstrcpy(p2,mailslot);
+ safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
p2 = skip_string(p2,1);
-
- memcpy(p2,buf,len);
- p2 += len;
+
+ if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
+ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ } else {
+ memcpy(p2,buf,len);
+ p2 += len;
+ }
dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */