From c4f276515855dc4b3f5457adaa41148281b4b8a8 Mon Sep 17 00:00:00 2001
From: erdgeist <>
Date: Sat, 6 Dec 2003 22:15:07 +0000
Subject: missalignment bug in ANDX command handling

---
 src/nu_server.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/nu_server.c b/src/nu_server.c
index 1360ccb..d1bb46a 100755
--- a/src/nu_server.c
+++ b/src/nu_server.c
@@ -60,9 +60,20 @@ static       WORD SMB_COM_NEGOTIATE_params[] = {
 
 static SMB_STATUS handle_SMB_COM_NEGOTIATE( SMB_HEADER *header, SMB_DATA *data ) {
   struct timeval t; gettimeofday( &t, NULL );
+  int i = 3;
+  /* Assign uniqe session id, don't know whether spreading our
+     pid() is a good id, when I know, I might change that :) */
   SMB_COM_NEGOTIATE_params[8] = getpid();
   SMB_COM_NEGOTIATE_params[9] = getppid();
   *(QWORD*)(SMB_COM_NEGOTIATE_params+12) = getnttime( &t );
+
+  /* count number of dialect strings and choose the
+     last one, foolishly assuming this is the newest */
+  ((BYTE*)SMB_COM_NEGOTIATE_params)[1] = 0;
+  while( i < data->bytes->ByteCount )
+    if( data->bytes->Buffer[i++] == 0x02 ) /* dialect indicator */
+      ++*(1+(BYTE*)SMB_COM_NEGOTIATE_params);
+
   data->params = (SMB_PARAMS*)SMB_COM_NEGOTIATE_params;
   data->bytes  = (SMB_BYTES *)SMB_COM_NEGOTIATE_bytes;
   return STATUS_SUCCESS;
@@ -82,6 +93,7 @@ static const BYTE SMB_COM_TREE_CONNECT_ANDX_bytes[] = { 8, 0, 'I', 'P', 'C', 0,
 static       BYTE SMB_COM_TREE_CONNECT_ANDX_params[] = { 3, 255, 0, 0, 0, 0, 0 };
 
 static SMB_STATUS handle_SMB_COM_TREE_CONNECT_ANDX( SMB_HEADER *header, SMB_DATA *data ){
+  header->TreeID = 5;
   data->params = (SMB_PARAMS*)SMB_COM_TREE_CONNECT_ANDX_params;
   data->bytes  = (SMB_BYTES *)SMB_COM_TREE_CONNECT_ANDX_bytes;
   return STATUS_SUCCESS;
@@ -132,12 +144,13 @@ static void child( ) {
         sizeof(command_handler)/sizeof(*command_handler), sizeof(*command_handler), command_handler_match);
 
       requests[ num_requests ].bytes  =
-        (SMB_BYTES*)(((BYTE*)requests[ num_requests ].params) + *((WORD*)(requests[ num_requests ].params)) + 2);
+        (SMB_BYTES*)(((BYTE*)requests[ num_requests ].params) + *((BYTE*)(requests[ num_requests ].params)) + 2);
 
       if( handler ) {
         if( handler->flags & SMB_COMMAND_FLAG_ANDX ) {
           cmd = ((BYTE*)requests[ num_requests ].params)[1];
-          requests[ num_requests+1 ].params = (SMB_PARAMS*)(((BYTE*)inpacket) + 4 + ((WORD*)requests[ num_requests ].params)[2]);
+          requests[ num_requests+1 ].params = (SMB_PARAMS*)(((BYTE*)inpacket) + 4 +
+            ((BYTE*)requests[ num_requests ].params)[3] + 256*((BYTE*)requests[ num_requests ].params)[4]);
         }
 
         /* <---------- Calling handler here -----> */
-- 
cgit v1.2.3