diff options
author | Volker Lendecke <vlendec@samba.org> | 2007-04-03 14:16:56 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:19:06 -0500 |
commit | 2498a973acba0d7500a7cd6501928161bc0ed31b (patch) | |
tree | 3df89d44bac2b3f47df6629240d5a7a104299208 | |
parent | f1ab10b2ec8a86c45cb8f91573d79c51f0277bb7 (diff) | |
download | samba-2498a973acba0d7500a7cd6501928161bc0ed31b.tar.gz samba-2498a973acba0d7500a7cd6501928161bc0ed31b.tar.bz2 samba-2498a973acba0d7500a7cd6501928161bc0ed31b.zip |
r22059: Over-allocate and NULL out 100 bytes for lanman.c.
Volker
(This used to be commit 0eea6b84cec7e2a3fc1f784d5a9b162f71cc8a02)
-rw-r--r-- | source3/smbd/ipc.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index ca128d29d9..6e5ff9f035 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -478,8 +478,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, if (state->total_data) { /* Can't use talloc here, the core routines do realloc on the - * params and data. */ - state->data = (char *)SMB_MALLOC(state->total_data); + * params and data. Out of paranoia, 100 bytes too many. */ + state->data = (char *)SMB_MALLOC(state->total_data+100); if (state->data == NULL) { DEBUG(0,("reply_trans: data malloc fail for %u " "bytes !\n", (unsigned int)state->total_data)); @@ -487,6 +487,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + /* null-terminate the slack space */ + memset(&state->data[state->total_data], 0, 100); if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) goto bad_param; if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) || @@ -498,8 +500,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, if (state->total_param) { /* Can't use talloc here, the core routines do realloc on the - * params and data. */ - state->param = (char *)SMB_MALLOC(state->total_param); + * params and data. Out of paranoia, 100 bytes too many */ + state->param = (char *)SMB_MALLOC(state->total_param+100); if (state->param == NULL) { DEBUG(0,("reply_trans: param malloc fail for %u " "bytes !\n", (unsigned int)state->total_param)); @@ -508,6 +510,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, END_PROFILE(SMBtrans); return(ERROR_DOS(ERRDOS,ERRnomem)); } + /* null-terminate the slack space */ + memset(&state->param[state->total_param], 0, 100); if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) goto bad_param; if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) || |