const char *inbuf, char **outbuf, uint8_t num_words,
uint32_t num_bytes)
{
+ size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
+
/*
- * Protect against integer wrap
- */
- if ((num_bytes > 0xffffff)
- || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+ * Protect against integer wrap.
+ * The SMB layer reply can be up to 0xFFFFFF bytes.
+ */
+ if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
char *msg;
if (asprintf(&msg, "num_bytes too large: %u",
(unsigned)num_bytes) == -1) {
smb_panic(msg);
}
+ /*
+ * Here we include the NBT header for now.
+ */
*outbuf = talloc_array(mem_ctx, char,
- smb_size + num_words*2 + num_bytes);
+ NBT_HDR_SIZE + smb_len);
if (*outbuf == NULL) {
return false;
}
* himself
*/
if (num_words != 0) {
- memset(*outbuf + smb_vwv0, 0, num_words*2);
+ memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
}
return true;