summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-04-03 14:16:56 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:06 -0500
commit2498a973acba0d7500a7cd6501928161bc0ed31b (patch)
tree3df89d44bac2b3f47df6629240d5a7a104299208
parentf1ab10b2ec8a86c45cb8f91573d79c51f0277bb7 (diff)
downloadsamba-2498a973acba0d7500a7cd6501928161bc0ed31b.tar.gz
samba-2498a973acba0d7500a7cd6501928161bc0ed31b.tar.bz2
samba-2498a973acba0d7500a7cd6501928161bc0ed31b.zip
r22059: Over-allocate and NULL out 100 bytes for lanman.c.
Volker (This used to be commit 0eea6b84cec7e2a3fc1f784d5a9b162f71cc8a02)
-rw-r--r--source3/smbd/ipc.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index ca128d29d9..6e5ff9f035 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -478,8 +478,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
if (state->total_data) {
/* Can't use talloc here, the core routines do realloc on the
- * params and data. */
- state->data = (char *)SMB_MALLOC(state->total_data);
+ * params and data. Out of paranoia, 100 bytes too many. */
+ state->data = (char *)SMB_MALLOC(state->total_data+100);
if (state->data == NULL) {
DEBUG(0,("reply_trans: data malloc fail for %u "
"bytes !\n", (unsigned int)state->total_data));
@@ -487,6 +487,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
END_PROFILE(SMBtrans);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
+ /* null-terminate the slack space */
+ memset(&state->data[state->total_data], 0, 100);
if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
goto bad_param;
if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
@@ -498,8 +500,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
if (state->total_param) {
/* Can't use talloc here, the core routines do realloc on the
- * params and data. */
- state->param = (char *)SMB_MALLOC(state->total_param);
+ * params and data. Out of paranoia, 100 bytes too many */
+ state->param = (char *)SMB_MALLOC(state->total_param+100);
if (state->param == NULL) {
DEBUG(0,("reply_trans: param malloc fail for %u "
"bytes !\n", (unsigned int)state->total_param));
@@ -508,6 +510,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
END_PROFILE(SMBtrans);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
+ /* null-terminate the slack space */
+ memset(&state->param[state->total_param], 0, 100);
if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
goto bad_param;
if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||