From 284f91fa2d259e22a9aec8b68496586ae16871cb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Oct 2015 15:13:47 -0700 Subject: [PATCH] smbd: Fix file name buflen and padding in notify repsonse The array is uint16, doubling the file name length consumes twice the space required. As we're hand assembling this as a series of concatinated individual data_blobs, we must take care to ensure the correct 4 byte alignment that was being masked by the previous doubling of the filename length. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10634 Signed-off-by: Jeremy Allison Signed-off-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sun Oct 18 01:56:41 CEST 2015 on sn-devel-104 (cherry picked from commit 7c483690ac6ed007798aeeb7b8549c9d55877e56) --- librpc/idl/notify.idl | 4 +++- source3/smbd/notify.c | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/librpc/idl/notify.idl b/librpc/idl/notify.idl index 66422ec..09d06be 100644 --- a/librpc/idl/notify.idl +++ b/librpc/idl/notify.idl @@ -93,6 +93,8 @@ interface notify uint32 NextEntryOffset; FILE_NOTIFY_ACTION Action; [value(strlen_m(FileName1)*2)] uint32 FileNameLength; - [charset(UTF16),flag(STR_NOTERM)] uint16 FileName1[FileNameLength]; + [charset(UTF16),flag(STR_NOTERM)] + uint16 FileName1[strlen_m(FileName1)]; + DATA_BLOB _pad; } FILE_NOTIFY_INFORMATION; } diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index e776749..6257260 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -138,6 +138,7 @@ static bool notify_marshall_changes(int num_changes, struct notify_change_event *c; struct FILE_NOTIFY_INFORMATION m; DATA_BLOB blob; + uint16_t pad = 0; /* Coalesce any identical records. */ while (i+1 < num_changes && @@ -151,12 +152,23 @@ static bool notify_marshall_changes(int num_changes, m.FileName1 = c->name; m.FileNameLength = strlen_m(c->name)*2; m.Action = c->action; - m.NextEntryOffset = (i == num_changes-1) ? 0 : ndr_size_FILE_NOTIFY_INFORMATION(&m, 0); + + m._pad = data_blob_null; /* * Offset to next entry, only if there is one */ + if (i == (num_changes-1)) { + m.NextEntryOffset = 0; + } else { + if ((m.FileNameLength % 4) == 2) { + m._pad = data_blob_const(&pad, 2); + } + m.NextEntryOffset = + ndr_size_FILE_NOTIFY_INFORMATION(&m, 0); + } + ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &m, (ndr_push_flags_fn_t)ndr_push_FILE_NOTIFY_INFORMATION); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- 2.1.4