s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()

metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Nov 18 15:13:52 CET 2011 on sn-devel-104
author: Stefan Metzmacher <metze@samba.org> 2011-11-18 13:20:43 +0100
committer: Stefan Metzmacher <metze@samba.org> 2011-11-18 15:13:52 +0100
commit: 20df0f34a8670f0dd5f3eaeb74af900f535bbe01 (patch)
tree: 56874cef916091871199bde308f74924b4909676
parent: d3cb61cf05485eda26280186bfa3850e2e6bcca9 (diff)
download: samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.tar.gz
samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.tar.bz2
samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 8ac31d89f1..5c73e2da74 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -120,6 +120,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		if (wct < 18) {
 			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
+		expected_num_setup = wct - 18;
 		*ptotal_param	= IVAL(vwv, 3);
 		*ptotal_data	= IVAL(vwv, 7);
 		*pnum_param	= IVAL(vwv, 11);
@@ -129,6 +130,9 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		data_ofs	= IVAL(vwv, 27);
 		*pdata_disp	= IVAL(vwv, 31);
 		*pnum_setup	= CVAL(vwv, 35);
+		if (expected_num_setup < (*pnum_setup)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
 		*psetup		= vwv + 18;
 		break;
author	Stefan Metzmacher <metze@samba.org>	2011-11-18 13:20:43 +0100
committer	Stefan Metzmacher <metze@samba.org>	2011-11-18 15:13:52 +0100
commit	20df0f34a8670f0dd5f3eaeb74af900f535bbe01 (patch)
tree	56874cef916091871199bde308f74924b4909676
parent	d3cb61cf05485eda26280186bfa3850e2e6bcca9 (diff)
download	samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.tar.gz samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.tar.bz2 samba-20df0f34a8670f0dd5f3eaeb74af900f535bbe01.zip