From c0fea1f0f791f0b2a161f5c89fd532ce2270c240 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 25 Jan 2009 12:22:20 +0100 Subject: [PATCH] Fix chain_reply for pipe reads MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The caller might have over-allocated reply->outbuf. Deal with that. Sorry, Günther, for giving you so much pain ... Volker --- source3/smbd/process.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source3/smbd/process.c b/source3/smbd/process.c index dc038b6b95b3..a025bb4197d2 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1640,8 +1640,18 @@ void chain_reply(struct smb_request *req) /* * In req->chain_outbuf we collect all the replies. Start the * chain by copying in the first reply. + * + * We do the realloc because later on we depend on + * talloc_get_size to determine the length of + * chain_outbuf. The reply_xxx routines might have + * over-allocated (reply_pipe_read_and_X used to be such an + * example). */ - req->chain_outbuf = req->outbuf; + req->chain_outbuf = TALLOC_REALLOC_ARRAY( + req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4); + if (req->chain_outbuf == NULL) { + goto error; + } req->outbuf = NULL; } else { if (!smb_splice_chain(&req->chain_outbuf, -- 2.34.1