Fix bug #7122 - Reading a large browselist fails (server returns invalid values in...

There are two problems:

1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.

This patch fixes both.

Jeremy.
(cherry picked from commit 8ddc977c1421a47bedba8d5494f7ae67692b772a)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 5fd756e384b03e0b3ee14a0a1fc84c5b535031a4..2cf00389855e4838fef7e79671932eb1e4867666 100644 (file)
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -170,6 +170,9 @@ void send_trans_reply(connection_struct *conn,
                                           rparam, tot_param_sent, this_lparam,
                                           rdata, tot_data_sent, this_ldata);
 
+               SSVAL(req->outbuf,smb_vwv0,lparam);
+               SSVAL(req->outbuf,smb_vwv1,ldata);
+
                SSVAL(req->outbuf,smb_vwv3,this_lparam);
                SSVAL(req->outbuf,smb_vwv4,
                      smb_offset(smb_buf(req->outbuf)+1,req->outbuf));

diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 4e7c9456c9eaaed0e0c2fd92e879167aebd1bbc5..40b6acae9f2621589d1af503fc26e83f63962b35 100644 (file)
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -1459,7 +1459,7 @@ static bool api_RNetServerEnum2(connection_struct *conn, uint16 vuid,
                        DEBUG(4,("fill_srv_info[%d] %20s %8x %25s %15s\n",
                                i, s->name, s->type, s->comment, s->domain));
 
-                       if (data_len <= buf_len) {
+                       if (data_len < buf_len) {
                                counted++;
                                fixed_len += f_len;
                                string_len += s_len;
@@ -1665,7 +1665,7 @@ static bool api_RNetServerEnum3(connection_struct *conn, uint16 vuid,
                        DEBUG(4,("fill_srv_info[%d] %20s %8x %25s %15s\n",
                                i, s->name, s->type, s->comment, s->domain));
 
-                       if (data_len <= buf_len) {
+                       if (data_len < buf_len) {
                                counted++;
                                fixed_len += f_len;
                                string_len += s_len;
@@ -2030,7 +2030,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid,
                if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) {
                        total++;
                        data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0);
-                       if (data_len <= buf_len) {
+                       if (data_len < buf_len) {
                                counted++;
                                fixed_len += f_len;
                                string_len += s_len;