summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-08-15 19:25:38 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:50 -0500
commita1f593cd737ccfaf48a98b954f38a541646cc5c7 (patch)
tree4420dadfb7b4eaadd937d1e8247723ac5cfa93f9
parent415b7463a3b543f4c7a1eab83162d65918337045 (diff)
downloadsamba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.tar.gz
samba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.tar.bz2
samba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.zip
r24467: Do range checking on incoming smb request.
Jeremy. (This used to be commit dbd58dd647279def1681d88701e41d8a738c680a)
-rw-r--r--source3/smbd/process.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index bf86603924..ce04c4331f 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -57,12 +57,26 @@ extern int max_send;
void init_smb_request(struct smb_request *req, const uint8 *inbuf)
{
+ size_t req_size = smb_len(inbuf);
+ /* Ensure we have at smb_size request. */
+ if (req_size < smb_size) {
+ DEBUG(0,("init_smb_request: invalid request size %u\n",
+ (unsigned int)req_size ));
+ exit_server_cleanly("Invalid SMB request");
+ }
req->flags2 = SVAL(inbuf, smb_flg2);
req->smbpid = SVAL(inbuf, smb_pid);
req->mid = SVAL(inbuf, smb_mid);
req->vuid = SVAL(inbuf, smb_uid);
req->tid = SVAL(inbuf, smb_tid);
req->wct = CVAL(inbuf, smb_wct);
+ /* Ensure we have at least wct words. */
+ if (smb_size + req->wct*2 > req_size) {
+ DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
+ (unsigned int)req->wct,
+ (unsigned int)req_size));
+ exit_server_cleanly("Invalid SMB request");
+ }
req->inbuf = inbuf;
req->outbuf = NULL;
}