From: Volker Lendecke <vl@samba.org>
Date: Mon, 10 Feb 2014 18:08:46 +0000 (-0800)
Subject: smbd: Fix memory overwrites
X-Git-Tag: samba-4.0.15~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68048a5e30465c0991baa487d75ac1b75e0106de;p=thirdparty%2Fsamba.git

smbd: Fix memory overwrites

SIVAL writes 32 bit, not 16

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Back-ported-from master git commit : 9088bde059e93a84745ec2158e2e640b5bb13844

Fix bug #10415 - *** glibc detected *** /usr/sbin/smbd: free(): invalid next
size (fast).
---

diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index c46520a5a78..8d24fb59bed 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -569,8 +569,8 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
 
 		SIVAL(state->out_output.data, 0x00, conn->smb2.server.capabilities);
 		memcpy(state->out_output.data+0x04, out_guid_blob.data, 16);
-		SIVAL(state->out_output.data, 0x14, conn->smb2.server.security_mode);
-		SIVAL(state->out_output.data, 0x16, conn->smb2.server.dialect);
+		SSVAL(state->out_output.data, 0x14, conn->smb2.server.security_mode);
+		SSVAL(state->out_output.data, 0x16, conn->smb2.server.dialect);
 
 		tevent_req_done(req);
 		return tevent_req_post(req, ev);