summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2008-11-08 16:14:12 +0100
committerVolker Lendecke <vl@samba.org>2008-11-28 08:24:28 +0100
commit738271fc2026b2911b7d20a73496989641714df3 (patch)
tree983613874081b507d5de48e296dc4e0f8db9805f
parent9da3101e449649f0614240f13157ac81e17b2e90 (diff)
downloadsamba-738271fc2026b2911b7d20a73496989641714df3.tar.gz
samba-738271fc2026b2911b7d20a73496989641714df3.tar.bz2
samba-738271fc2026b2911b7d20a73496989641714df3.zip
Remove the variable "size" from reply_nttrans
This converts the range checks for the setup[] array to rely on req->wct being set correctly in init_smb_request. As that already verifies the vwv array to be in the range of the smb_request inbuf, we don't have to do overflow checks here anymore. Jeremy, please check thoroughly! :-) Thanks, Volker
-rw-r--r--source3/smbd/nttrans.c23
1 files changed, 13 insertions, 10 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 329ba23ddd..b516f02c21 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2529,7 +2529,6 @@ void reply_nttrans(struct smb_request *req)
uint16 function_code;
NTSTATUS result;
struct trans_state *state;
- uint32_t size;
uint32_t av_size;
START_PROFILE(SMBnttrans);
@@ -2540,7 +2539,6 @@ void reply_nttrans(struct smb_request *req)
return;
}
- size = smb_len(req->inbuf) + 4;
av_size = smb_len(req->inbuf);
pscnt = IVAL(req->vwv+9, 1);
psoff = IVAL(req->vwv+11, 1);
@@ -2676,6 +2674,19 @@ void reply_nttrans(struct smb_request *req)
if(state->setup_count > 0) {
DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
state->setup_count));
+
+ /*
+ * No overflow possible here, state->setup_count is an
+ * unsigned int, being filled by a single byte from
+ * CVAL(req->vwv+13, 0) above. The cast in the comparison
+ * below is not necessary, it's here to clarify things. The
+ * validity of req->vwv and req->wct has been checked in
+ * init_smb_request already.
+ */
+ if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
+ goto bad_param;
+ }
+
state->setup = (uint16 *)TALLOC(state, state->setup_count);
if (state->setup == NULL) {
DEBUG(0,("reply_nttrans : Out of memory\n"));
@@ -2687,14 +2698,6 @@ void reply_nttrans(struct smb_request *req)
return;
}
- if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) ||
- (smb_nt_SetupStart + state->setup_count < state->setup_count)) {
- goto bad_param;
- }
- if (smb_nt_SetupStart + state->setup_count > size) {
- goto bad_param;
- }
-
memcpy(state->setup, req->vwv+19, state->setup_count);
dump_data(10, (uint8 *)state->setup, state->setup_count);
}