From d5e13d197ab2ab7dace1ac18baeca348f4e0bdcb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 9 Feb 2010 15:44:03 -0800 Subject: [PATCH] Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies) There are two problems: 1). The server is off-by-one in the end of buffer space test. 2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0) fields in the second and subsequent SMBtrans replies. This patch fixes both. Jeremy. --- source/smbd/ipc.c | 3 +++ source/smbd/lanman.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 8e40c30..52d70a3 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -159,6 +159,9 @@ void send_trans_reply(connection_struct *conn, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); + SSVAL(req->outbuf,smb_vwv0,lparam); + SSVAL(req->outbuf,smb_vwv1,ldata); + SSVAL(req->outbuf,smb_vwv3,this_lparam); SSVAL(req->outbuf,smb_vwv4,smb_offset(smb_buf(req->outbuf)+1, req->outbuf)); diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c index 936a4fd..2b4076e 100644 --- a/source/smbd/lanman.c +++ b/source/smbd/lanman.c @@ -1459,7 +1459,7 @@ static bool api_RNetServerEnum(connection_struct *conn, uint16 vuid, DEBUG(4,("fill_srv_info %20s %8x %25s %15s\n", s->name, s->type, s->comment, s->domain)); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; @@ -1823,7 +1823,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid, if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) { total++; data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; -- 1.6.6