Fix bug #7122 - Reading a large browselist fails (server returns invalid values in...

There are two problems:

1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.

This patch fixes both.

Jeremy.
(similar to commit b07a14dc37d2899f662e1cf87064f99c0bd10b25)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit de658f95ea12d4c532f309634b9aedb09c5e4d1d)

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 5c9f9f63d9006c306c62868172d76dd6eecdada3..8b6c88bbd4e54612380e8715c75ef68045c2a217 100644 (file)
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -163,6 +163,9 @@ void send_trans_reply(connection_struct *conn, const uint8_t *inbuf,
                                           rparam, tot_param_sent, this_lparam,
                                           rdata, tot_data_sent, this_ldata);
 
+               SSVAL(outbuf,smb_vwv0,lparam);
+               SSVAL(outbuf,smb_vwv1,ldata);
+
                SSVAL(outbuf,smb_vwv3,this_lparam);
                SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf));
                SSVAL(outbuf,smb_vwv5,tot_param_sent);

diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index bc1cb953f10f124490789ba0c5d0ecdac218731f..29566d1763bd9b70b7df5f86ff7c0e129ddf666b 100644 (file)
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -1456,7 +1456,7 @@ static bool api_RNetServerEnum(connection_struct *conn, uint16 vuid,
                        DEBUG(4,("fill_srv_info %20s %8x %25s %15s\n",
                                s->name, s->type, s->comment, s->domain));
       
-                       if (data_len <= buf_len) {
+                       if (data_len < buf_len) {
                                counted++;
                                fixed_len += f_len;
                                string_len += s_len;
@@ -1820,7 +1820,7 @@ static bool api_RNetShareEnum( connection_struct *conn, uint16 vuid,
                if( lp_browseable( i ) && lp_snum_ok( i ) && (strlen(servicename_dos) < 13)) {
                        total++;
                        data_len += fill_share_info(conn,i,uLevel,0,&f_len,0,&s_len,0);
-                       if (data_len <= buf_len) {
+                       if (data_len < buf_len) {
                                counted++;
                                fixed_len += f_len;
                                string_len += s_len;