diff options
| author | Jeremy Allison <jra@samba.org> | 2015-10-16 15:13:47 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2015-10-20 08:48:17 +0200 |
| commit | 617ffc4c88c371bab4a4fb5db4025153e97d79c9 (patch) | |
| tree | 9f2774f964762177d2d4d392f5086e1c25a124ba | |
| parent | c84322da084440029e0630a701812380313facf7 (diff) | |
| download | samba-617ffc4c88c371bab4a4fb5db4025153e97d79c9.tar.gz | |
smbd: Fix file name buflen and padding in notify repsonse
The array is uint16, doubling the file name length consumes twice the space
required.
As we're hand assembling this as a series of concatinated individual data_blobs,
we must take care to ensure the correct 4 byte alignment that was
being masked by the previous doubling of the filename length.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10634
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Oct 18 01:56:41 CEST 2015 on sn-devel-104
(cherry picked from commit 7c483690ac6ed007798aeeb7b8549c9d55877e56)
| -rw-r--r-- | librpc/idl/notify.idl | 4 | ||||
| -rw-r--r-- | source3/smbd/notify.c | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/librpc/idl/notify.idl b/librpc/idl/notify.idl index 66422ec9f9e..09d06bed662 100644 --- a/librpc/idl/notify.idl +++ b/librpc/idl/notify.idl @@ -93,6 +93,8 @@ interface notify uint32 NextEntryOffset; FILE_NOTIFY_ACTION Action; [value(strlen_m(FileName1)*2)] uint32 FileNameLength; - [charset(UTF16),flag(STR_NOTERM)] uint16 FileName1[FileNameLength]; + [charset(UTF16),flag(STR_NOTERM)] + uint16 FileName1[strlen_m(FileName1)]; + DATA_BLOB _pad; } FILE_NOTIFY_INFORMATION; } diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index e776749a318..62572600023 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -138,6 +138,7 @@ static bool notify_marshall_changes(int num_changes, struct notify_change_event *c; struct FILE_NOTIFY_INFORMATION m; DATA_BLOB blob; + uint16_t pad = 0; /* Coalesce any identical records. */ while (i+1 < num_changes && @@ -151,12 +152,23 @@ static bool notify_marshall_changes(int num_changes, m.FileName1 = c->name; m.FileNameLength = strlen_m(c->name)*2; m.Action = c->action; - m.NextEntryOffset = (i == num_changes-1) ? 0 : ndr_size_FILE_NOTIFY_INFORMATION(&m, 0); + + m._pad = data_blob_null; /* * Offset to next entry, only if there is one */ + if (i == (num_changes-1)) { + m.NextEntryOffset = 0; + } else { + if ((m.FileNameLength % 4) == 2) { + m._pad = data_blob_const(&pad, 2); + } + m.NextEntryOffset = + ndr_size_FILE_NOTIFY_INFORMATION(&m, 0); + } + ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &m, (ndr_push_flags_fn_t)ndr_push_FILE_NOTIFY_INFORMATION); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { |