diff options
author | Jeremy Allison <jra@samba.org> | 2007-08-15 19:25:38 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:50 -0500 |
commit | a1f593cd737ccfaf48a98b954f38a541646cc5c7 (patch) | |
tree | 4420dadfb7b4eaadd937d1e8247723ac5cfa93f9 | |
parent | 415b7463a3b543f4c7a1eab83162d65918337045 (diff) | |
download | samba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.tar.gz samba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.tar.bz2 samba-a1f593cd737ccfaf48a98b954f38a541646cc5c7.zip |
r24467: Do range checking on incoming smb request.
Jeremy.
(This used to be commit dbd58dd647279def1681d88701e41d8a738c680a)
-rw-r--r-- | source3/smbd/process.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index bf86603924..ce04c4331f 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -57,12 +57,26 @@ extern int max_send; void init_smb_request(struct smb_request *req, const uint8 *inbuf) { + size_t req_size = smb_len(inbuf); + /* Ensure we have at smb_size request. */ + if (req_size < smb_size) { + DEBUG(0,("init_smb_request: invalid request size %u\n", + (unsigned int)req_size )); + exit_server_cleanly("Invalid SMB request"); + } req->flags2 = SVAL(inbuf, smb_flg2); req->smbpid = SVAL(inbuf, smb_pid); req->mid = SVAL(inbuf, smb_mid); req->vuid = SVAL(inbuf, smb_uid); req->tid = SVAL(inbuf, smb_tid); req->wct = CVAL(inbuf, smb_wct); + /* Ensure we have at least wct words. */ + if (smb_size + req->wct*2 > req_size) { + DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n", + (unsigned int)req->wct, + (unsigned int)req_size)); + exit_server_cleanly("Invalid SMB request"); + } req->inbuf = inbuf; req->outbuf = NULL; } |