smbd: Fix file name buflen and padding in notify repsonse

The array is uint16, doubling the file name length consumes twice the space
required.

As we're hand assembling this as a series of concatinated individual data_blobs,
we must take care to ensure the correct 4 byte alignment that was
being masked by the previous doubling of the filename length.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10634

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Oct 18 01:56:41 CEST 2015 on sn-devel-104

librpc/idl/notify.idl

@@ -93,6 +93,8 @@ interface notify
 		uint32 NextEntryOffset;
 		FILE_NOTIFY_ACTION Action;
 		[value(strlen_m(FileName1)*2)] uint32 FileNameLength;
-		[charset(UTF16),flag(STR_NOTERM)] uint16 FileName1[FileNameLength];
+		[charset(UTF16),flag(STR_NOTERM)]
+			uint16 FileName1[strlen_m(FileName1)];
+		DATA_BLOB _pad;
 	} FILE_NOTIFY_INFORMATION;
 }

source3/smbd/notify.c

@@ -138,6 +138,7 @@ static bool notify_marshall_changes(int num_changes,
 		struct notify_change_event *c;
 		struct FILE_NOTIFY_INFORMATION m;
 		DATA_BLOB blob;
+		uint16_t pad = 0;
 
 		/* Coalesce any identical records. */
 		while (i+1 < num_changes &&
@@ -151,12 +152,23 @@ static bool notify_marshall_changes(int num_changes,
 		m.FileName1 = c->name;
 		m.FileNameLength = strlen_m(c->name)*2;
 		m.Action = c->action;
-		m.NextEntryOffset = (i == num_changes-1) ? 0 : ndr_size_FILE_NOTIFY_INFORMATION(&m, 0);
+
+		m._pad = data_blob_null;
 
 		/*
 		 * Offset to next entry, only if there is one
 		 */
 
+		if (i == (num_changes-1)) {
+			m.NextEntryOffset = 0;
+		} else {
+			if ((m.FileNameLength % 4) == 2) {
+				m._pad = data_blob_const(&pad, 2);
+			}
+			m.NextEntryOffset =
+				ndr_size_FILE_NOTIFY_INFORMATION(&m, 0);
+		}
+
 		ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &m,
 			(ndr_push_flags_fn_t)ndr_push_FILE_NOTIFY_INFORMATION);
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {