r23939: Fixes for notify returns. Returned param value must fix inside

max_param or return NT_STATUS_OK.
Jeremy.

diff --git a/source/smbd/notify.c b/source/smbd/notify.c
index 6ab4266c19f04410cdc49b9bea876a10ec19bdf1..40dcecee260f508cb5f4d874d5a4b609e4a793dc 100644 (file)
--- a/source/smbd/notify.c
+++ b/source/smbd/notify.c
@@ -21,15 +21,12 @@
 
 #include "includes.h"
 
-/* Max size we can send to client in a notify response. */
-extern int max_send;
-
 struct notify_change_request {
        struct notify_change_request *prev, *next;
        struct files_struct *fsp;       /* backpointer for cancel by mid */
        char request_buf[smb_size];
        uint32 filter;
-       uint32 current_bufsize;
+       uint32 max_param;
        struct notify_mid_map *mid_map;
        void *backend_data;
 };
@@ -61,8 +58,9 @@ static BOOL notify_change_record_identical(struct notify_change *c1,
 }
 
 static BOOL notify_marshall_changes(int num_changes,
-                                   struct notify_change *changes,
-                                   prs_struct *ps)
+                               uint32 max_offset,
+                               struct notify_change *changes,
+                               prs_struct *ps)
 {
        int i;
        UNISTR uni_name;
@@ -112,6 +110,11 @@ static BOOL notify_marshall_changes(int num_changes,
                prs_set_offset(ps, prs_offset(ps)-2);
 
                SAFE_FREE(uni_name.buffer);
+
+               if (prs_offset(ps) > max_offset) {
+                       /* Too much data for client. */
+                       return False;
+               }
        }
 
        return True;
@@ -148,7 +151,7 @@ static void change_notify_reply_packet(const char *request_buf,
                                    "failed.");
 }
 
-void change_notify_reply(const char *request_buf,
+void change_notify_reply(const char *request_buf, uint32 max_param,
                         struct notify_change_buf *notify_buf)
 {
        char *outbuf = NULL;
@@ -160,16 +163,10 @@ void change_notify_reply(const char *request_buf,
                return;
        }
 
-       if (!prs_init(&ps, 0, NULL, False)
-           || !notify_marshall_changes(notify_buf->num_changes,
-                                       notify_buf->changes, &ps)) {
-               change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY);
-               goto done;
-       }
-
-       buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */;
+       prs_init(&ps, 0, NULL, False);
 
-       if (buflen > max_send) {
+       if (!notify_marshall_changes(notify_buf->num_changes, max_param,
+                                       notify_buf->changes, &ps)) {
                /*
                 * We exceed what the client is willing to accept. Send
                 * nothing.
@@ -238,7 +235,7 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32 filter,
        return status;
 }
 
-NTSTATUS change_notify_add_request(const char *inbuf, 
+NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param,
                                   uint32 filter, BOOL recursive,
                                   struct files_struct *fsp)
 {
@@ -255,11 +252,11 @@ NTSTATUS change_notify_add_request(const char *inbuf,
        map->req = request;
 
        memcpy(request->request_buf, inbuf, sizeof(request->request_buf));
-       request->current_bufsize = 0;
+       request->max_param = max_param;
        request->filter = filter;
        request->fsp = fsp;
        request->backend_data = NULL;
-       
+
        DLIST_ADD_END(fsp->notify->requests, request,
                      struct notify_change_request *);
 
@@ -431,6 +428,7 @@ static void notify_fsp(files_struct *fsp, uint32 action, const char *name)
         */
 
        change_notify_reply(fsp->notify->requests->request_buf,
+                           fsp->notify->requests->max_param,
                            fsp->notify);
 
        change_notify_remove_request(fsp->notify->requests);

diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index f7df37b4337d2776edf3e6f90a92c0c7342e341e..64b6d33eee1cd262e87b46f3d55772ffef210b8c 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2045,7 +2045,7 @@ static int call_nt_transact_notify_change(connection_struct *conn, char *inbuf,
                 * here.
                 */
 
-               change_notify_reply(inbuf, fsp->notify);
+               change_notify_reply(inbuf, max_param_count, fsp->notify);
 
                /*
                 * change_notify_reply() above has independently sent its
@@ -2058,7 +2058,8 @@ static int call_nt_transact_notify_change(connection_struct *conn, char *inbuf,
         * No changes pending, queue the request
         */
 
-       status = change_notify_add_request(inbuf, filter, recursive, fsp);
+       status = change_notify_add_request(inbuf, max_param_count, filter,
+                       recursive, fsp);
        if (!NT_STATUS_IS_OK(status)) {
                return ERROR_NT(status);
        }