summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRalph Wuerthner <ralph.wuerthner@de.ibm.com>2013-04-04 12:59:36 +0200
committerMichael Adam <obnox@samba.org>2013-04-10 00:13:45 +0200
commit98f9e5edd35d6fb54dea74f799b017967b0a13fd (patch)
tree7f7ed1eba3477df6fcd43922dd8c2f1b16429e32
parente7e37b3b90100f762a45f2f3c047e14e3619c216 (diff)
downloadsamba-98f9e5edd35d6fb54dea74f799b017967b0a13fd.tar.gz
samba-98f9e5edd35d6fb54dea74f799b017967b0a13fd.tar.bz2
samba-98f9e5edd35d6fb54dea74f799b017967b0a13fd.zip
s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard()
Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r--source3/smbd/reply.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0d9f415a43..5fb10d5c54 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -318,9 +318,16 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req,
char **pp_dest, const char *src, int flags,
NTSTATUS *err, bool *contains_wcard)
{
- return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, req->flags2,
- pp_dest, src, smbreq_bufrem(req, src),
- flags, err, contains_wcard);
+ ssize_t bufrem = smbreq_bufrem(req, src);
+
+ if (bufrem < 0) {
+ *err = NT_STATUS_INVALID_PARAMETER;
+ return 0;
+ }
+
+ return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf,
+ req->flags2, pp_dest, src, bufrem, flags,
+ err, contains_wcard);
}
size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,