diff options
author | Volker Lendecke <vl@samba.org> | 2008-11-08 16:14:12 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2008-11-28 08:24:28 +0100 |
commit | 738271fc2026b2911b7d20a73496989641714df3 (patch) | |
tree | 983613874081b507d5de48e296dc4e0f8db9805f | |
parent | 9da3101e449649f0614240f13157ac81e17b2e90 (diff) | |
download | samba-738271fc2026b2911b7d20a73496989641714df3.tar.gz samba-738271fc2026b2911b7d20a73496989641714df3.tar.bz2 samba-738271fc2026b2911b7d20a73496989641714df3.zip |
Remove the variable "size" from reply_nttrans
This converts the range checks for the setup[] array to rely on req->wct being
set correctly in init_smb_request. As that already verifies the vwv array to be
in the range of the smb_request inbuf, we don't have to do overflow checks here
anymore.
Jeremy, please check thoroughly! :-)
Thanks,
Volker
-rw-r--r-- | source3/smbd/nttrans.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 329ba23ddd..b516f02c21 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2529,7 +2529,6 @@ void reply_nttrans(struct smb_request *req) uint16 function_code; NTSTATUS result; struct trans_state *state; - uint32_t size; uint32_t av_size; START_PROFILE(SMBnttrans); @@ -2540,7 +2539,6 @@ void reply_nttrans(struct smb_request *req) return; } - size = smb_len(req->inbuf) + 4; av_size = smb_len(req->inbuf); pscnt = IVAL(req->vwv+9, 1); psoff = IVAL(req->vwv+11, 1); @@ -2676,6 +2674,19 @@ void reply_nttrans(struct smb_request *req) if(state->setup_count > 0) { DEBUG(10,("reply_nttrans: state->setup_count = %d\n", state->setup_count)); + + /* + * No overflow possible here, state->setup_count is an + * unsigned int, being filled by a single byte from + * CVAL(req->vwv+13, 0) above. The cast in the comparison + * below is not necessary, it's here to clarify things. The + * validity of req->vwv and req->wct has been checked in + * init_smb_request already. + */ + if ((state->setup_count/2) + 19 > (unsigned int)req->wct) { + goto bad_param; + } + state->setup = (uint16 *)TALLOC(state, state->setup_count); if (state->setup == NULL) { DEBUG(0,("reply_nttrans : Out of memory\n")); @@ -2687,14 +2698,6 @@ void reply_nttrans(struct smb_request *req) return; } - if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) || - (smb_nt_SetupStart + state->setup_count < state->setup_count)) { - goto bad_param; - } - if (smb_nt_SetupStart + state->setup_count > size) { - goto bad_param; - } - memcpy(state->setup, req->vwv+19, state->setup_count); dump_data(10, (uint8 *)state->setup, state->setup_count); } |