diff options
| author | Volker Lendecke <vlendec@samba.org> | 2007-08-04 20:28:46 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:18 -0500 |
| commit | bf160bb6211fa1ca68c17f54290ce4cbb5dbb263 (patch) | |
| tree | d1ce088015d237b3dfc2673da6c9fb69f8e8267e | |
| parent | c847b2afe7f4c979499c20869563439e25f0cb7e (diff) | |
| download | samba-bf160bb6211fa1ca68c17f54290ce4cbb5dbb263.tar.gz samba-bf160bb6211fa1ca68c17f54290ce4cbb5dbb263.tar.bz2 samba-bf160bb6211fa1ca68c17f54290ce4cbb5dbb263.zip | |
r24224: Check wct in reply_trans
(This used to be commit fc8759e63ccec7f1cfb9f1d0ecd0f19a496e4153)
| -rw-r--r-- | source3/smbd/ipc.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 769147926f..2e6b03fb94 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -502,15 +502,25 @@ int reply_trans(connection_struct *conn, int bufsize) { int outsize = 0; - unsigned int dsoff = SVAL(inbuf, smb_dsoff); - unsigned int dscnt = SVAL(inbuf, smb_dscnt); - unsigned int psoff = SVAL(inbuf, smb_psoff); - unsigned int pscnt = SVAL(inbuf, smb_pscnt); + unsigned int dsoff; + unsigned int dscnt; + unsigned int psoff; + unsigned int pscnt; struct trans_state *state; NTSTATUS result; START_PROFILE(SMBtrans); + if (SVAL(inbuf, smb_wct) < 10) { + END_PROFILE(SMBtrans); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + dsoff = SVAL(inbuf, smb_dsoff); + dscnt = SVAL(inbuf, smb_dscnt); + psoff = SVAL(inbuf, smb_psoff); + pscnt = SVAL(inbuf, smb_pscnt); + result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid)); if (!NT_STATUS_IS_OK(result)) { DEBUG(2, ("Got invalid trans request: %s\n", @@ -681,6 +691,11 @@ int reply_transs(connection_struct *conn, char *inbuf,char *outbuf, show_msg(inbuf); + if (SVAL(inbuf, smb_wct) < 10) { + END_PROFILE(SMBtranss); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + for (state = conn->pending_trans; state != NULL; state = state->next) { if (state->mid == SVAL(inbuf,smb_mid)) { |