From 1a7b6fe34d6d7d29256fe3b5432593fa07d74838 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 10 Aug 2008 17:53:35 +0200 Subject: [PATCH] fix smb_len calculation for chained requests I think chain_reply() is one of the most tricky parts of Samba. This recursion needs to go away, we need to sequentially walk the chain list. (This used to be commit af2b01d85188d2301580643f7e862e3e3988aadc) --- source3/smbd/process.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/source3/smbd/process.c b/source3/smbd/process.c index a1d2d88b3dd..332a2e4da3a 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1653,6 +1653,7 @@ void chain_reply(struct smb_request *req) char *outbuf = (char *)req->outbuf; size_t outsize = smb_len(outbuf) + 4; size_t outsize_padded; + size_t padding; size_t ofs, to_move; struct smb_request *req2; @@ -1691,6 +1692,7 @@ void chain_reply(struct smb_request *req) */ outsize_padded = (outsize + 3) & ~3; + padding = outsize_padded - outsize; /* * remember how much the caller added to the chain, only counting @@ -1804,17 +1806,17 @@ void chain_reply(struct smb_request *req) SCVAL(outbuf, smb_vwv0, smb_com2); SSVAL(outbuf, smb_vwv1, chain_size + smb_wct - 4); - if (outsize_padded > outsize) { + if (padding != 0) { /* * Due to padding we have some uninitialized bytes after the * caller's output */ - memset(outbuf + outsize, 0, outsize_padded - outsize); + memset(outbuf + outsize, 0, padding); } - smb_setlen(outbuf, outsize2 + chain_size - 4); + smb_setlen(outbuf, outsize2 + caller_outputlen + padding - 4); /* * restore the saved data, being careful not to overwrite any data -- 2.11.4.GIT