smbd: Fix file name buflen and padding in notify repsonse

The array is uint16, doubling the file name length consumes twice the space
required.

As we're hand assembling this as a series of concatinated individual data_blobs,
we must take care to ensure the correct 4 byte alignment that was
being masked by the previous doubling of the filename length.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10634

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Oct 18 01:56:41 CEST 2015 on sn-devel-104

diff --git a/librpc/idl/notify.idl b/librpc/idl/notify.idl
index 66422ec9f9e56f03c5052d796585d25886ae6264..09d06bed66228e81566112c57a3fb789bdd77408 100644 (file)
--- a/librpc/idl/notify.idl
+++ b/librpc/idl/notify.idl
@@ -93,6 +93,8 @@ interface notify
                uint32 NextEntryOffset;
                FILE_NOTIFY_ACTION Action;
                [value(strlen_m(FileName1)*2)] uint32 FileNameLength;
-               [charset(UTF16),flag(STR_NOTERM)] uint16 FileName1[FileNameLength];
+               [charset(UTF16),flag(STR_NOTERM)]
+                       uint16 FileName1[strlen_m(FileName1)];
+               DATA_BLOB _pad;
        } FILE_NOTIFY_INFORMATION;
 }

diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
index e776749a318778ec5528135c6a927270fde645ac..625726000233080d887679a7beae5a5c521a6072 100644 (file)
--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
@@ -138,6 +138,7 @@ static bool notify_marshall_changes(int num_changes,
                struct notify_change_event *c;
                struct FILE_NOTIFY_INFORMATION m;
                DATA_BLOB blob;
+               uint16_t pad = 0;
 
                /* Coalesce any identical records. */
                while (i+1 < num_changes &&
@@ -151,12 +152,23 @@ static bool notify_marshall_changes(int num_changes,
                m.FileName1 = c->name;
                m.FileNameLength = strlen_m(c->name)*2;
                m.Action = c->action;
-               m.NextEntryOffset = (i == num_changes-1) ? 0 : ndr_size_FILE_NOTIFY_INFORMATION(&m, 0);
+
+               m._pad = data_blob_null;
 
                /*
                 * Offset to next entry, only if there is one
                 */
 
+               if (i == (num_changes-1)) {
+                       m.NextEntryOffset = 0;
+               } else {
+                       if ((m.FileNameLength % 4) == 2) {
+                               m._pad = data_blob_const(&pad, 2);
+                       }
+                       m.NextEntryOffset =
+                               ndr_size_FILE_NOTIFY_INFORMATION(&m, 0);
+               }
+
                ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &m,
                        (ndr_push_flags_fn_t)ndr_push_FILE_NOTIFY_INFORMATION);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {