s3:libsmb: don't use cli->inbuf in cli_dfs_get_referral()

The rdata buffer returned by cli_trans() doesn't belong to
cli->inbuf, so don't use it.

metze

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 8df5423664f4138b8666d406c8bed446d7d2df37..2287812c188d79ec6cdac296189d3ac7f8c9f6a8 100644 (file)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -608,7 +608,8 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
 {
        unsigned int data_len = 0;
        unsigned int param_len = 0;
-       uint16 setup[1];
+       uint16_t setup[1];
+       uint16_t recv_flags2;
        uint8_t *param = NULL;
        uint8_t *rdata = NULL;
        char *p;
@@ -643,7 +644,7 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
                           setup, 1, 0,
                           param, param_len, 2,
                           NULL, 0, cli->max_xmit,
-                          NULL,
+                          &recv_flags2,
                           NULL, 0, NULL, /* rsetup */
                           NULL, 0, NULL,
                           &rdata, 4, &data_len);
@@ -720,11 +721,12 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
                                status = NT_STATUS_INVALID_NETWORK_RESPONSE;
                                goto out;
                        }
-                       clistr_pull_talloc(ctx, cli->inbuf,
-                                          SVAL(cli->inbuf, smb_flg2),
+                       clistr_pull_talloc(referrals,
+                                          (const char *)rdata,
+                                          recv_flags2,
                                           &referrals[i].dfspath,
                                           p+node_offset,
-                                          cli->bufsize - ((p+node_offset)-cli->inbuf),
+                                          PTR_DIFF(endp, p+node_offset),
                                           STR_TERMINATE|STR_UNICODE);
 
                        if (!referrals[i].dfspath) {