diff -u source-orig/smbd/notify.c source/smbd/notify.c --- source-orig/smbd/notify.c 2007-06-19 10:11:34.000000000 -0700 +++ source/smbd/notify.c 2007-07-17 15:57:54.219552000 -0700 @@ -27,7 +27,7 @@ struct files_struct *fsp; /* backpointer for cancel by mid */ char request_buf[smb_size]; uint32 filter; - uint32 current_bufsize; + uint32 max_param; struct notify_mid_map *mid_map; void *backend_data; }; @@ -47,19 +47,40 @@ uint16 mid; }; +static BOOL notify_change_record_identical(struct notify_change *c1, + struct notify_change *c2) +{ + /* Note this is deliberately case sensitive. */ + if (c1->action == c2->action && + strcmp(c1->name, c2->name) == 0) { + return True; + } + return False; +} + static BOOL notify_marshall_changes(int num_changes, - struct notify_change *changes, - prs_struct *ps) + uint32 max_offset, + struct notify_change *changes, + prs_struct *ps) { int i; UNISTR uni_name; for (i=0; iname, strlen(c->name)+1, &uni_name.buffer, True); @@ -90,6 +111,11 @@ prs_set_offset(ps, prs_offset(ps)-2); SAFE_FREE(uni_name.buffer); + + if (prs_offset(ps) > max_offset) { + /* Too much data for client. */ + return False; + } } return True; @@ -125,7 +151,7 @@ "failed."); } -void change_notify_reply(const char *request_buf, +void change_notify_reply(const char *request_buf, uint32 max_param, struct notify_change_buf *notify_buf) { char *outbuf = NULL; @@ -137,15 +163,18 @@ return; } - if (!prs_init(&ps, 0, NULL, False) - || !notify_marshall_changes(notify_buf->num_changes, + prs_init(&ps, 0, NULL, False); + + if (!notify_marshall_changes(notify_buf->num_changes, max_param, notify_buf->changes, &ps)) { - change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); + /* + * We exceed what the client is willing to accept. Send + * nothing. + */ + change_notify_reply_packet(request_buf, NT_STATUS_OK); goto done; } - buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */; - if (!(outbuf = SMB_MALLOC_ARRAY(char, buflen))) { change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); goto done; @@ -206,7 +235,7 @@ return status; } -NTSTATUS change_notify_add_request(const char *inbuf, +NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, uint32 filter, BOOL recursive, struct files_struct *fsp) { @@ -223,11 +252,11 @@ map->req = request; memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); - request->current_bufsize = 0; + request->max_param = max_param; request->filter = filter; request->fsp = fsp; request->backend_data = NULL; - + DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); @@ -399,6 +428,7 @@ */ change_notify_reply(fsp->notify->requests->request_buf, + fsp->notify->requests->max_param, fsp->notify); change_notify_remove_request(fsp->notify->requests); diff -u source-orig/smbd/nttrans.c source/smbd/nttrans.c --- source-orig/smbd/nttrans.c 2007-06-19 10:11:34.000000000 -0700 +++ source/smbd/nttrans.c 2007-07-17 15:58:00.916313000 -0700 @@ -1979,7 +1979,7 @@ * here. */ - change_notify_reply(inbuf, fsp->notify); + change_notify_reply(inbuf, max_param_count, fsp->notify); /* * change_notify_reply() above has independently sent its @@ -1992,7 +1992,8 @@ * No changes pending, queue the request */ - status = change_notify_add_request(inbuf, filter, recursive, fsp); + status = change_notify_add_request(inbuf, max_param_count, filter, + recursive, fsp); if (!NT_STATUS_IS_OK(status)) { return ERROR_NT(status); }