summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2009-07-08 17:02:00 +0200
committerStefan Metzmacher <metze@samba.org>2009-07-10 12:24:23 +0200
commit12ed9ca36a4f8d2f3798f357a619389c26c9feea (patch)
tree2f468119f26d3b0625b793c6f6c07f633a139dab
parentdb1e58256861c50a9baed8efc862ba5b5834e28b (diff)
downloadsamba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.gz
samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.bz2
samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.zip
s3:smbd: fix parsing of invalid SMB2 requests.
Because of 0 - 2 => 0xFFFFFFFE, we got EMSGSIZE from the tstream layer. And terminate the transport connection. Instead we should let the caller deal with the invalid parameter, when checking the body size. So the caller always gets at least a 2 byte body. metze
-rw-r--r--source3/smbd/smb2_server.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 43afb1b901..204e57d860 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1339,7 +1339,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream,
if (invalid) {
/* the caller should check this */
- body_size = 0;
+ body_size = 2;
}
if ((body_size % 2) != 0) {
@@ -1376,7 +1376,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream,
*/
memcpy(body, hdr + SMB2_HDR_BODY, 2);
vector[0].iov_base = body + 2;
- vector[0].iov_len = req->in.vector[idx].iov_len - 2;
+ vector[0].iov_len = body_size - 2;
vector[1] = req->in.vector[idx+1];