summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2013-08-02 17:05:58 -0700
committerDavid Disseldorp <ddiss@samba.org>2013-08-04 16:54:04 +0200
commitb35a27b77954992fc1e6db446bbfa6cfbb7547a1 (patch)
tree712da5edf6a92054d4651d8957af87fe46438b7a
parent852c9ac34dbef66d0b2619554c611157c2fab771 (diff)
downloadsamba-b35a27b77954992fc1e6db446bbfa6cfbb7547a1.tar.gz
samba-b35a27b77954992fc1e6db446bbfa6cfbb7547a1.tar.bz2
samba-b35a27b77954992fc1e6db446bbfa6cfbb7547a1.zip
Ensure we can never integer wrap when working on client-supplied max_data_bytes.
This would only be possible with SMB2, and is already checked in the upper SMB2 layers, but it really doesn't hurt to have these extra checks at time of use also. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Sun Aug 4 16:54:04 CEST 2013 on sn-devel-104
-rw-r--r--source3/smbd/trans2.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index a216f15cd3..f7691044a1 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2564,6 +2564,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
}
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ goto out;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if(*ppdata == NULL ) {
@@ -2893,6 +2898,11 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
}
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if(*ppdata == NULL) {
@@ -3150,6 +3160,10 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn,
st = smb_fname.st;
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
*ppdata = (char *)SMB_REALLOC(
*ppdata, max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
if (*ppdata == NULL) {
@@ -4368,6 +4382,10 @@ static void call_trans2qpipeinfo(connection_struct *conn,
}
params = *pparams;
SSVAL(params,0,0);
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
*ppdata = (char *)SMB_REALLOC(*ppdata, data_size);
if (*ppdata == NULL ) {
@@ -4449,6 +4467,10 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
nlink -= 1;
}
+ if (max_data_bytes + DIR_ENTRY_SAFETY_MARGIN < max_data_bytes) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
data_size = max_data_bytes + DIR_ENTRY_SAFETY_MARGIN;
*ppdata = (char *)SMB_REALLOC(*ppdata, data_size);
if (*ppdata == NULL) {