r8609: Fix for bugid #2889. I think the problem is that the top 16 bits of the "server state" field must be

non-zero. As we're using the 32 bit field as an offset then normally this field
will be zero. W2K3 fills this field with a counter enumerating the number of
SMBsearch calls on this directory - starting at 1. Add back the 1<<31 bit flag
DPTR_MASK to ensure this is non-zero - with better checks on use.
Jeremy.

source/smbd/dir.c

@@ -641,6 +641,8 @@ BOOL dptr_SearchDir(struct dptr_struct *dptr, const char *name, long *poffset, S
  Fill the 5 byte server reserved dptr field.
 ****************************************************************************/
 
+#define DPTR_MASK ((uint32)(((uint32)1)<<31))
+
 BOOL dptr_fill(char *buf1,unsigned int key)
 {
 	unsigned char *buf = (unsigned char *)buf1;
@@ -653,8 +655,12 @@ BOOL dptr_fill(char *buf1,unsigned int key)
 	offset = (uint32)TellDir(dptr->dir_hnd);
 	DEBUG(6,("fill on key %u dirptr 0x%lx now at %d\n",key,
 		(long)dptr->dir_hnd,(int)offset));
+	if (offset != (uint32)-1 && (offset & DPTR_MASK)) {
+		DEBUG(0,("dptr_fill: Error - offset has bit 32 set. Can't use in server state.\n"));
+		return False;
+	}
 	buf[0] = key;
-	SIVAL(buf,1,offset);
+	SIVAL(buf,1,offset | DPTR_MASK);
 	return(True);
 }
 
@@ -678,7 +684,7 @@ struct dptr_struct *dptr_fetch(char *buf,int *num)
 	if (offset == (uint32)-1) {
 		seekoff = -1;
 	} else {
-		seekoff = (long)offset;
+		seekoff = (long)(offset & ~DPTR_MASK);
 	}
 	SeekDir(dptr->dir_hnd,seekoff);
 	DEBUG(3,("fetching dirptr %d for path %s at offset %d\n",

source/smbd/reply.c

@@ -1156,7 +1156,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size
 						memcpy(p,status,21);
 						make_dir_struct(p,mask,fname,size, mode,date,
 								!allow_long_path_components);
-						dptr_fill(p+12,dptr_num);
+						if (!dptr_fill(p+12,dptr_num)) {
+							break;
+						}
 						numentries++;
 						p += DIR_STRUCT_SIZE;
 					}