diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-05-29 14:08:43 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-05-29 18:55:29 +0200 |
commit | cee146ff7c2250d3c723f19357fd1c8541191d08 (patch) | |
tree | d9c9657c736d3bf67c3824736b71bc76c045b8c6 | |
parent | 8b4e6777206d7df4174f9d61830d1c337a46089f (diff) | |
download | samba-cee146ff7c2250d3c723f19357fd1c8541191d08.tar.gz samba-cee146ff7c2250d3c723f19357fd1c8541191d08.tar.bz2 samba-cee146ff7c2250d3c723f19357fd1c8541191d08.zip |
s3:smb2_ioctl: verify credit charge
Based on a patch from Christian Ambach <ambi@samba.org>.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue May 29 18:55:29 CEST 2012 on sn-devel-104
-rw-r--r-- | source3/smbd/smb2_ioctl.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index c83162e368..0d17407cf3 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -63,6 +63,10 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) DATA_BLOB in_output_buffer = data_blob_null; uint32_t in_max_output_length; uint32_t in_flags; + uint32_t data_length_in; + uint32_t data_length_out; + uint32_t data_length_tmp; + uint32_t data_length_max; struct tevent_req *subreq; status = smbd_smb2_request_verify_sizes(req, 0x39); @@ -152,6 +156,27 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) } /* + * verify the credits and avoid overflows + * in_input_buffer.length and in_output_buffer.length + * are already verified. + */ + data_length_in = in_input_buffer.length + in_output_buffer.length; + + data_length_out = in_max_input_length; + data_length_tmp = UINT32_MAX - data_length_out; + if (data_length_tmp < in_max_output_length) { + return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + } + data_length_out += in_max_output_length; + + data_length_max = MAX(data_length_in, data_length_out); + + status = smbd_smb2_request_verify_creditcharge(req, data_length_max); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + + /* * If the Flags field of the request is not SMB2_0_IOCTL_IS_FSCTL the * server MUST fail the request with STATUS_NOT_SUPPORTED. */ |