summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-10-12 17:46:50 +0200
committerStefan Metzmacher <metze@samba.org>2011-10-13 03:32:02 +0200
commit5e04231e961f10656384a6f16104d0d55b6f3e0e (patch)
tree71478c9e67126252576961854ac170cacb982e77
parent6981f1114792cc251bf1e05183dd88f5d351ab09 (diff)
downloadsamba-5e04231e961f10656384a6f16104d0d55b6f3e0e.tar.gz
samba-5e04231e961f10656384a6f16104d0d55b6f3e0e.tar.bz2
samba-5e04231e961f10656384a6f16104d0d55b6f3e0e.zip
s3:smb2_server: get/set info are limited by max_trans size (bug #8473)
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Oct 13 03:32:02 CEST 2011 on sn-devel-104
-rw-r--r--source3/smbd/smb2_getinfo.c7
-rw-r--r--source3/smbd/smb2_setinfo.c4
2 files changed, 11 insertions, 0 deletions
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 61e0cfa06c..c5d2d62cd9 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -90,6 +90,13 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
in_input_buffer.length = in_input_buffer_length;
+ if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+ if (in_output_buffer_length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 2d39f11bb5..751190ac62 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -81,6 +81,10 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req)
in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
in_input_buffer.length = in_input_buffer_length;
+ if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {