summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2012-10-02 17:30:54 -0700
committerJeremy Allison <jra@samba.org>2012-10-03 12:49:15 -0700
commitc2f5b2466bb05939c953341517da6d9df814b27c (patch)
tree56270917e38695ad83bae478a696d43ad181eac7
parent3983515a0d2222c9e559d83f37ec0a4c5820b56d (diff)
downloadsamba-c2f5b2466bb05939c953341517da6d9df814b27c.tar.gz
samba-c2f5b2466bb05939c953341517da6d9df814b27c.tar.bz2
samba-c2f5b2466bb05939c953341517da6d9df814b27c.zip
Fix bug #9214 - Bad user supplied SMB2 credit value can cause smbd to call smb_panic.
Terminate the connection cleanly instead.
-rw-r--r--source3/smbd/smb2_server.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index dcaefb1689..d92302ede5 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -780,7 +780,12 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn,
out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS));
SMB_ASSERT(sconn->smb2.max_credits >= sconn->smb2.credits_granted);
- SMB_ASSERT(sconn->smb2.max_credits >= credit_charge);
+
+ if (sconn->smb2.max_credits < credit_charge) {
+ smbd_server_connection_terminate(sconn,
+ "client error: credit charge > max credits\n");
+ return;
+ }
if (out_flags & SMB2_HDR_FLAG_ASYNC) {
/*