summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-07-20 09:20:43 +0200
committerStefan Metzmacher <metze@samba.org>2012-07-23 18:19:36 +0200
commit077eb578be1bc9865fc5b32816f8230737e76100 (patch)
treebb9f439bfc9e6d33479f4155b93a46d245e1fadc
parent1c144b07f658723a9ae28c61b2e66c33630b573a (diff)
downloadsamba-077eb578be1bc9865fc5b32816f8230737e76100.tar.gz
samba-077eb578be1bc9865fc5b32816f8230737e76100.tar.bz2
samba-077eb578be1bc9865fc5b32816f8230737e76100.zip
libcli/smb: check the buffer length in smbXcli_negprot_dispatch_incoming()
metze
-rw-r--r--libcli/smb/smbXcli_base.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index dcec6ed79e..14737fb8b1 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3952,16 +3952,23 @@ static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
struct tevent_req *subreq;
struct smbXcli_req_state *substate;
struct tevent_req *req;
- uint32_t protocol_magic = IVAL(inbuf, 4);
+ uint32_t protocol_magic;
+ size_t inbuf_len = smb_len_nbt(inbuf);
if (num_pending != 1) {
return NT_STATUS_INTERNAL_ERROR;
}
+ if (inbuf_len < 4) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
subreq = conn->pending[0];
substate = tevent_req_data(subreq, struct smbXcli_req_state);
req = tevent_req_callback_data(subreq, struct tevent_req);
+ protocol_magic = IVAL(inbuf, 4);
+
switch (protocol_magic) {
case SMB_MAGIC:
tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);