r24349: For large read&x we need more than 64k of outbuf.

(This used to be commit f7e2eec35f7457ec70d75ef099b34f83c9dfd654)
author: Volker Lendecke <vlendec@samba.org> 2007-08-12 12:15:32 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:29:32 -0500
commit: 2fb27fcb692dfaccf36c6530012d6e24f944e1a4 (patch)
tree: 7063e19156337ded23af80a006d8bb47b75ac6c8
parent: a0ad547ccbf5316862bd8f7b8ae9e76c4386b62c (diff)
download: samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.tar.gz
samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.tar.bz2
samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index adc3f638e0..c59ee2c200 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -953,8 +953,19 @@ static const struct smb_message_struct {
  allocate and initialize a reply packet
 ********************************************************************/
 
-void reply_outbuf(struct smb_request *req, uint8 num_words, uint16 num_bytes)
+void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
 {
+	/*
+         * Protect against integer wrap
+         */
+	if ((num_bytes > 0xffffff)
+	    || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+		char *msg;
+		asprintf(&msg, "num_bytes too large: %u",
+			 (unsigned)num_bytes);
+		smb_panic(msg);
+	}
+
 	if (!(req->outbuf = TALLOC_ARRAY(
 		      req, uint8,
 		      smb_size + num_words*2 + num_bytes))) {
author	Volker Lendecke <vlendec@samba.org>	2007-08-12 12:15:32 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:29:32 -0500
commit	2fb27fcb692dfaccf36c6530012d6e24f944e1a4 (patch)
tree	7063e19156337ded23af80a006d8bb47b75ac6c8
parent	a0ad547ccbf5316862bd8f7b8ae9e76c4386b62c (diff)
download	samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.tar.gz samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.tar.bz2 samba-2fb27fcb692dfaccf36c6530012d6e24f944e1a4.zip