diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-08-17 08:31:52 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-08-17 14:51:57 +0200 |
commit | abf018e8b64b237aa029978c20bd418524fff3d0 (patch) | |
tree | 12e5fc897039311634662c2b526131b29530a32c | |
parent | e2b07c0adca680d73f20744fd8dbbcb8be818ca3 (diff) | |
download | samba-abf018e8b64b237aa029978c20bd418524fff3d0.tar.gz samba-abf018e8b64b237aa029978c20bd418524fff3d0.tar.bz2 samba-abf018e8b64b237aa029978c20bd418524fff3d0.zip |
libcli/smb: make sure the SMB2_TRANSFORM pdu is complete
metze
-rw-r--r-- | libcli/smb/smbXcli_base.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index a9adcbb0b7..02d0227637 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3041,6 +3041,7 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, struct smbXcli_session *s; uint64_t uid; struct iovec tf_iov[2]; + size_t enc_len; NTSTATUS status; if (len < SMB2_TF_HDR_SIZE) { @@ -3053,9 +3054,16 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, taken += tf_len; hdr = first_hdr + taken; - len = IVAL(tf, SMB2_TF_MSG_SIZE); + enc_len = IVAL(tf, SMB2_TF_MSG_SIZE); uid = BVAL(tf, SMB2_TF_SESSION_ID); + if (len < SMB2_TF_HDR_SIZE + enc_len) { + DEBUG(10, ("%d bytes left, expected at least %d\n", + (int)len, + (int)(SMB2_TF_HDR_SIZE + enc_len))); + goto inval; + } + s = conn->sessions; for (; s; s = s->next) { if (s->smb2->session_id != uid) { @@ -3073,7 +3081,7 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, tf_iov[0].iov_base = (void *)tf; tf_iov[0].iov_len = tf_len; tf_iov[1].iov_base = (void *)hdr; - tf_iov[1].iov_len = len; + tf_iov[1].iov_len = enc_len; status = smb2_signing_decrypt_pdu(s->smb2->decryption_key, conn->protocol, @@ -3083,7 +3091,8 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, return status; } - verified_buflen = taken + len; + verified_buflen = taken + enc_len; + len = enc_len; } /* |