diff options
| author | Jeremy Allison <jra@samba.org> | 2000-04-27 17:14:45 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2000-04-27 17:14:45 +0000 |
| commit | 3d9141d4156a3207af03d4137acd4b1cde46cfae (patch) | |
| tree | 2e48654b3ce807b729dccd49ac6cbf5bdd1f8f7a | |
| parent | c4af7ad8dc75ca252c6e8812b126a171849cc7d2 (diff) | |
| download | samba-3d9141d4156a3207af03d4137acd4b1cde46cfae.tar.gz samba-3d9141d4156a3207af03d4137acd4b1cde46cfae.tar.bz2 samba-3d9141d4156a3207af03d4137acd4b1cde46cfae.zip | |
Fixed range check on writeX.
Jeremy.
(This used to be commit 9cde198108439358e99128fa9a1b3000e33f5414)
| -rw-r--r-- | source3/smbd/reply.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 4134df221e..41c6dcb143 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2545,7 +2545,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng size_t numtowrite = SVAL(inbuf,smb_vwv10); BOOL write_through = BITSETW(inbuf+smb_vwv7,0); ssize_t nwritten = -1; - int smb_doff = SVAL(inbuf,smb_vwv11); + unsigned int smb_doff = SVAL(inbuf,smb_vwv11); char *data; /* If it's an IPC, pass off the pipe handler. */ @@ -2556,6 +2556,9 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng CHECK_WRITE(fsp); CHECK_ERROR(fsp); + if(smb_doff > smb_len(inbuf)) + return(ERROR(ERRDOS,ERRbadmem)); + data = smb_base(inbuf) + smb_doff; if(CVAL(inbuf,smb_wct) == 14) { |