From 5ef8ce05059db5f7daf24c698319bcd53794dab6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 8 Feb 2010 18:38:03 +0100 Subject: [PATCH 1/4] s3:libsmb: fix NetServerEnum3 rap calls. metze (cherry picked from commit 9b5198dd443a00fdad4faa1f9cdabedd81012d93) --- source/libsmb/clirap.c | 24 +++++++++++++++++++----- 1 files changed, 19 insertions(+), 5 deletions(-) diff --git a/source/libsmb/clirap.c b/source/libsmb/clirap.c index d248d0c..116e0a9 100644 --- a/source/libsmb/clirap.c +++ b/source/libsmb/clirap.c @@ -270,11 +270,9 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, p = param; SIVAL(p,0,func); /* api number */ p += 2; - /* Next time through we need to use the continue api */ - func = RAP_NetServerEnum3; - if (last_entry) { - strlcpy(p,"WrLehDOz", sizeof(param)-PTR_DIFF(p,param)); + if (func == RAP_NetServerEnum3) { + strlcpy(p,"WrLehDzz", sizeof(param)-PTR_DIFF(p,param)); } else { strlcpy(p,"WrLehDz", sizeof(param)-PTR_DIFF(p,param)); } @@ -293,7 +291,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, * to continue from. */ len = push_ascii(p, - last_entry ? last_entry : workgroup, + workgroup, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE|STR_UPPER); @@ -303,6 +301,22 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, } p += len; + if (func == RAP_NetServerEnum3) { + len = push_ascii(p, + last_entry ? last_entry : "", + sizeof(param) - PTR_DIFF(p,param) - 1, + STR_TERMINATE); + + if (len == (size_t)-1) { + SAFE_FREE(last_entry); + return false; + } + p += len; + } + + /* Next time through we need to use the continue api */ + func = RAP_NetServerEnum3; + if (!cli_api(cli, param, PTR_DIFF(p,param), 8, /* params, length, max */ NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */ -- 1.6.3.3 From 52c07e775992a1f5a4468cbc4527c3f0b5cdb5ba Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 10 Feb 2010 19:49:48 +0100 Subject: [PATCH 2/4] s3:smbd: Fix really ugly bool vs. int bug!!! A comparison function for qsort needs to return an 'int'! Otherwise you'll get random results depending on the compiler and the architecture... metze (cherry picked from commit 1686a5e7e7eb1b411b003cbbde5c0d28741c6d02) --- source/smbd/lanman.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c index 5fb05de..bc1cb95 100644 --- a/source/smbd/lanman.c +++ b/source/smbd/lanman.c @@ -1352,7 +1352,7 @@ static int fill_srv_info(struct srv_info_struct *service, } -static bool srv_comp(struct srv_info_struct *s1,struct srv_info_struct *s2) +static int srv_comp(struct srv_info_struct *s1,struct srv_info_struct *s2) { return(strcmp(s1->name,s2->name)); } -- 1.6.3.3 From c567e04281c6d1a10359d557bcc8ed79708528c1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 9 Feb 2010 12:17:08 -0800 Subject: [PATCH 3/4] Fix off-by-one error in working out the limit of the NetServerEnum comment. Jeremy. (cherry picked from commit 9ad6f432f3f5844b4b419e7cbaf3c3e70b052d29) Signed-off-by: Stefan Metzmacher --- source/libsmb/clirap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source/libsmb/clirap.c b/source/libsmb/clirap.c index 116e0a9..ea9e439 100644 --- a/source/libsmb/clirap.c +++ b/source/libsmb/clirap.c @@ -389,7 +389,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, comment_offset = (IVAL(p,22) & 0xFFFF)-converter; cmnt = comment_offset?(rdata+comment_offset):""; - if (comment_offset < 0 || comment_offset > (int)rdrcnt) { + if (comment_offset < 0 || comment_offset >= (int)rdrcnt) { TALLOC_FREE(frame); continue; } -- 1.6.3.3 From 96c18bb1ffef64b328b09b68883cefacdd8651ea Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 9 Feb 2010 15:23:38 -0800 Subject: [PATCH 4/4] Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies) There are two problems: 1). The server is off-by-one in the end of buffer space test. 2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0) fields in the second and subsequent SMBtrans replies. This patch fixes both. Jeremy. (similar to commit b07a14dc37d2899f662e1cf87064f99c0bd10b25) Signed-off-by: Stefan Metzmacher --- source/smbd/ipc.c | 3 +++ source/smbd/lanman.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 5c9f9f6..8b6c88b 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -163,6 +163,9 @@ void send_trans_reply(connection_struct *conn, const uint8_t *inbuf, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); + SSVAL(outbuf,smb_vwv0,lparam); + SSVAL(outbuf,smb_vwv1,ldata); + SSVAL(outbuf,smb_vwv3,this_lparam); SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf)); SSVAL(outbuf,smb_vwv5,tot_param_sent); diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c index bc1cb95..29566d1 100644 --- a/source/smbd/lanman.c +++ b/source/smbd/lanman.c @@ -1456,7 +1456,7 @@ static bool api_RNetServerEnum(connection_struct *conn, uint16 vuid, DEBUG(4,("fill_srv_info %20s %8x %25s %15s\n", s->name, s->type, s->comment, s->domain)); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; @@ -1820,7 +1820,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid, if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) { total++; data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0); - if (data_len <= buf_len) { + if (data_len < buf_len) { counted++; fixed_len += f_len; string_len += s_len; -- 1.6.3.3