From: Volker Lendecke <vl@samba.org>
Date: Sun, 10 Aug 2008 15:53:35 +0000 (+0200)
Subject: fix smb_len calculation for chained requests
X-Git-Tag: samba-3.3.0pre1~252
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af2b01d85188d2301580643f7e862e3e3988aadc;p=thirdparty%2Fsamba.git

fix smb_len calculation for chained requests

I think chain_reply() is one of the most tricky parts of Samba. This recursion
needs to go away, we need to sequentially walk the chain list.
---

diff --git a/source/smbd/process.c b/source/smbd/process.c
index a1d2d88b3dd..332a2e4da3a 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1653,6 +1653,7 @@ void chain_reply(struct smb_request *req)
 	char *outbuf = (char *)req->outbuf;
 	size_t outsize = smb_len(outbuf) + 4;
 	size_t outsize_padded;
+	size_t padding;
 	size_t ofs, to_move;
 
 	struct smb_request *req2;
@@ -1691,6 +1692,7 @@ void chain_reply(struct smb_request *req)
 	 */
 
 	outsize_padded = (outsize + 3) & ~3;
+	padding = outsize_padded - outsize;
 
 	/*
 	 * remember how much the caller added to the chain, only counting
@@ -1804,17 +1806,17 @@ void chain_reply(struct smb_request *req)
 	SCVAL(outbuf, smb_vwv0, smb_com2);
 	SSVAL(outbuf, smb_vwv1, chain_size + smb_wct - 4);
 
-	if (outsize_padded > outsize) {
+	if (padding != 0) {
 
 		/*
 		 * Due to padding we have some uninitialized bytes after the
 		 * caller's output
 		 */
 
-		memset(outbuf + outsize, 0, outsize_padded - outsize);
+		memset(outbuf + outsize, 0, padding);
 	}
 
-	smb_setlen(outbuf, outsize2 + chain_size - 4);
+	smb_setlen(outbuf, outsize2 + caller_outputlen + padding - 4);
 
 	/*
 	 * restore the saved data, being careful not to overwrite any data