summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-16 18:17:44 +0000
committerJeremy Allison <jra@samba.org>2003-10-16 18:17:44 +0000
commit3a9510acaed2d5e28b17934a2d110998232565e2 (patch)
tree4bc626c707afcf9d6dc5cda0ef473a70dada993d
parent53efe50458ef03e877b752b2e82340d82ae08af4 (diff)
downloadsamba-3a9510acaed2d5e28b17934a2d110998232565e2.tar.gz
samba-3a9510acaed2d5e28b17934a2d110998232565e2.tar.bz2
samba-3a9510acaed2d5e28b17934a2d110998232565e2.zip
Fix buggy data_len calculation in echo. Add paranoia debug message.
Jeremy. (This used to be commit 5332af1124077f49e84836f5cedfbde98336b142)
-rw-r--r--source3/smbd/reply.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index ec63be32b4..011186ba89 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2784,7 +2784,11 @@ int reply_echo(connection_struct *conn,
int outsize = set_message(outbuf,1,data_len,True);
START_PROFILE(SMBecho);
- data_len = MIN(data_len, (sizeof(inbuf)-(smb_buf(inbuf)-inbuf)));
+ if (data_len > BUFFER_SIZE) {
+ DEBUG(0,("reply_echo: data_len too large.\n"));
+ END_PROFILE(SMBecho);
+ return -1;
+ }
/* copy any incoming data back out */
if (data_len > 0)