diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-07-20 09:20:43 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-07-23 18:19:36 +0200 |
commit | 077eb578be1bc9865fc5b32816f8230737e76100 (patch) | |
tree | bb9f439bfc9e6d33479f4155b93a46d245e1fadc | |
parent | 1c144b07f658723a9ae28c61b2e66c33630b573a (diff) | |
download | samba-077eb578be1bc9865fc5b32816f8230737e76100.tar.gz samba-077eb578be1bc9865fc5b32816f8230737e76100.tar.bz2 samba-077eb578be1bc9865fc5b32816f8230737e76100.zip |
libcli/smb: check the buffer length in smbXcli_negprot_dispatch_incoming()
metze
-rw-r--r-- | libcli/smb/smbXcli_base.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index dcec6ed79e..14737fb8b1 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3952,16 +3952,23 @@ static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn, struct tevent_req *subreq; struct smbXcli_req_state *substate; struct tevent_req *req; - uint32_t protocol_magic = IVAL(inbuf, 4); + uint32_t protocol_magic; + size_t inbuf_len = smb_len_nbt(inbuf); if (num_pending != 1) { return NT_STATUS_INTERNAL_ERROR; } + if (inbuf_len < 4) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + subreq = conn->pending[0]; substate = tevent_req_data(subreq, struct smbXcli_req_state); req = tevent_req_callback_data(subreq, struct tevent_req); + protocol_magic = IVAL(inbuf, 4); + switch (protocol_magic) { case SMB_MAGIC: tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req); |