From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 6 Jul 2009 10:02:22 +0000 (+0200)
Subject: HACK: SMB2-CONNECT SMB 2.002 buffer overflow...
X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=66cc3efc18a8ae9b9275a50ec0edcacd5dae02ff

HACK: SMB2-CONNECT SMB 2.002 buffer overflow...

metze
---

diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c
index fd32b52111b3..464ef7f484ea 100644
--- a/source4/torture/smb2/connect.c
+++ b/source4/torture/smb2/connect.c
@@ -92,7 +92,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 	status = smb2_write(tree, &w);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("write failed - %s\n", nt_errstr(status));
-		return status;
+		//return status;
 	}
 
 	torture_smb2_all_info(tree, handle);
@@ -100,7 +100,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 	status = smb2_write(tree, &w);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("write failed - %s\n", nt_errstr(status));
-		return status;
+		//return status;
 	}
 
 	torture_smb2_all_info(tree, handle);
@@ -116,17 +116,17 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 
 	ZERO_STRUCT(r);
 	r.in.file.handle = handle;
-	r.in.length      = data.length;
+	r.in.length      = data.length-1;
 	r.in.offset      = 0;
 
 	status = smb2_read(tree, tree, &r);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("read failed - %s\n", nt_errstr(status));
-		return status;
+		//return status;
 	}
 
-	if (data.length != r.out.data.length ||
-	    memcmp(data.data, r.out.data.data, data.length) != 0) {
+	if (r.in.length != r.out.data.length ||
+	    memcmp(data.data, r.out.data.data, r.out.data.length) != 0) {
 		printf("read data mismatch\n");
 		return NT_STATUS_NET_WRITE_FAULT;
 	}