diff options
author | Jeremy Allison <jra@samba.org> | 2003-10-16 18:17:44 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-10-16 18:17:44 +0000 |
commit | 3a9510acaed2d5e28b17934a2d110998232565e2 (patch) | |
tree | 4bc626c707afcf9d6dc5cda0ef473a70dada993d | |
parent | 53efe50458ef03e877b752b2e82340d82ae08af4 (diff) | |
download | samba-3a9510acaed2d5e28b17934a2d110998232565e2.tar.gz samba-3a9510acaed2d5e28b17934a2d110998232565e2.tar.bz2 samba-3a9510acaed2d5e28b17934a2d110998232565e2.zip |
Fix buggy data_len calculation in echo. Add paranoia debug message.
Jeremy.
(This used to be commit 5332af1124077f49e84836f5cedfbde98336b142)
-rw-r--r-- | source3/smbd/reply.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index ec63be32b4..011186ba89 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2784,7 +2784,11 @@ int reply_echo(connection_struct *conn, int outsize = set_message(outbuf,1,data_len,True); START_PROFILE(SMBecho); - data_len = MIN(data_len, (sizeof(inbuf)-(smb_buf(inbuf)-inbuf))); + if (data_len > BUFFER_SIZE) { + DEBUG(0,("reply_echo: data_len too large.\n")); + END_PROFILE(SMBecho); + return -1; + } /* copy any incoming data back out */ if (data_len > 0) |