r22050: Fix a couple of off-by-one errors in the rap

call patch. Jerry, this works now for displaying
shares on Win9x (and hopefully everything else
as well :-).
Jeremy.

diff --git a/source/lib/util.c b/source/lib/util.c
index 64afa1cc5325f0c60ead9ba23e3af992cfad1211..b1db36c2504f560eae218701c0fa80c2e3c24624 100644 (file)
--- a/source/lib/util.c
+++ b/source/lib/util.c
@@ -3127,6 +3127,8 @@ int this_is_smp(void)
 
 /****************************************************************
  Check if an offset into a buffer is safe.
+ If this returns True it's safe to indirect into the byte at
+ pointer ptr+off.
 ****************************************************************/
 
 BOOL is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
@@ -3180,10 +3182,14 @@ char *get_safe_str_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t o
 
 int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
 {
-       if (!is_offset_safe(buf_base, buf_len, ptr, off+2)) {
+       /*
+        * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
+        * NOT ptr[2].
+        */
+       if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
                return failval;
        }
-       return SVAL(ptr,0);
+       return SVAL(ptr,off);
 }
 
 /****************************************************************
@@ -3192,8 +3198,12 @@ int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, i
 
 int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
 {
-       if (!is_offset_safe(buf_base, buf_len, ptr, off+4)) {
+       /*
+        * Note we use off+3 here, not off+4 as IVAL accesses 
+        * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
+        */
+       if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
                return failval;
        }
-       return IVAL(ptr,0);
+       return IVAL(ptr,off);
 }

diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index 0ef6fe1c4768c512d8425e20c668048c676db882..4ca9a4b051d952fb91019a68fe486e46138a3615 100644 (file)
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -2365,7 +2365,11 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid,
 
        memset(pass1,'\0',sizeof(pass1));
        memset(pass2,'\0',sizeof(pass2));
-       if (!is_offset_safe(param,tpscnt,p,32)) {
+       /*
+        * We use 31 here not 32 as we're checking
+        * the last byte we want to access is safe.
+        */
+       if (!is_offset_safe(param,tpscnt,p,31)) {
                return False;
        }
        memcpy(pass1,p,16);
@@ -2537,7 +2541,11 @@ static BOOL api_RDosPrintJobDel(connection_struct *conn,uint16 vuid,
        if (!str1 || !str2 || !p) {
                return False;
        }
-       if (!is_offset_safe(param,tpscnt,p,2)) {
+       /*
+        * We use 1 here not 2 as we're checking
+        * the last byte we want to access is safe.
+        */
+       if (!is_offset_safe(param,tpscnt,p,1)) {
                return False;
        }
        if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))
@@ -2701,7 +2709,11 @@ static BOOL api_PrintJobInfo(connection_struct *conn, uint16 vuid,
        if (!str1 || !str2 || !p) {
                return False;
        }
-       if (!is_offset_safe(param,tpscnt,p,2)) {
+       /*
+        * We use 1 here not 2 as we're checking
+        * the last byte we want to access is safe.
+        */
+       if (!is_offset_safe(param,tpscnt,p,1)) {
                return False;
        }
        if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid))