From 67168e7dd821b68e37db9e46dc8cd731951a2240 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 8 Sep 2014 16:16:24 -0700
Subject: [PATCH] s3: smbd: Ensure we don't call qsort() with a size of -1.

Based on a patch idea from Ken Harris <kharris@mathworks.com>

Fixes bug 10798 - crash in source3/smbd/notify.c

https://bugzilla.samba.org/show_bug.cgi?id=10798

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/notify.c | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
index dd4dc1a..ac1a55c 100644
--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
@@ -105,6 +105,14 @@ static bool notify_change_record_identical(struct notify_change_event *c1,
 	return False;
 }
 
+static int compare_notify_change_events(const void *p1, const void *p2)
+{
+	const struct notify_change_event *e1 = p1;
+	const struct notify_change_event *e2 = p2;
+
+	return timespec_compare(&e1->when, &e2->when);
+}
+
 static bool notify_marshall_changes(int num_changes,
 				uint32 max_offset,
 				struct notify_change_event *changes,
@@ -116,6 +124,14 @@ static bool notify_marshall_changes(int num_changes,
 		return false;
 	}
 
+	/*
+	 * Sort the notifies by timestamp when the event happened to avoid
+	 * coalescing and thus dropping events.
+	 */
+
+	qsort(changes, num_changes,
+	      sizeof(*changes), compare_notify_change_events);
+
 	for (i=0; i<num_changes; i++) {
 		enum ndr_err_code ndr_err;
 		struct notify_change_event *c;
@@ -170,14 +186,6 @@ static bool notify_marshall_changes(int num_changes,
 	return True;
 }
 
-static int compare_notify_change_events(const void *p1, const void *p2)
-{
-	const struct notify_change_event *e1 = p1;
-	const struct notify_change_event *e2 = p2;
-
-	return timespec_compare(&e1->when, &e2->when);
-}
-
 /****************************************************************************
  Setup the common parts of the return packet and send it.
 *****************************************************************************/
@@ -202,14 +210,6 @@ void change_notify_reply(struct smb_request *req,
 		return;
 	}
 
-	/*
-	 * Sort the notifies by timestamp when the event happened to avoid
-	 * coalescing and thus dropping events in notify_marshall_changes.
-	 */
-
-	qsort(notify_buf->changes, notify_buf->num_changes,
-	      sizeof(*(notify_buf->changes)), compare_notify_change_events);
-
 	if (!notify_marshall_changes(notify_buf->num_changes, max_param,
 					notify_buf->changes, &blob)) {
 		/*
-- 
2.1.0.rc2.206.gedb03e5