diff options
| author | Jeremy Allison <jra@samba.org> | 2007-08-16 23:53:51 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:52 -0500 |
| commit | a662a62e5a718065640e9b9f3c8f166638f4ec9a (patch) | |
| tree | 8af139c68ddb0eec0f456b7f2f9190a3298fbc31 | |
| parent | 077d5d2e369e4fcb3e8c8fec862da9e450398ef3 (diff) | |
| download | samba-a662a62e5a718065640e9b9f3c8f166638f4ec9a.tar.gz samba-a662a62e5a718065640e9b9f3c8f166638f4ec9a.tar.bz2 samba-a662a62e5a718065640e9b9f3c8f166638f4ec9a.zip | |
r24500: Add check that bcc is correct in an incoming packet.
Jeremy.
(This used to be commit 267a0ac48d358e1bd10d92238352ca3d867a58d4)
| -rw-r--r-- | source3/smbd/process.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index bf3abf9758..35f1d6fb3c 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -70,13 +70,22 @@ void init_smb_request(struct smb_request *req, const uint8 *inbuf) req->vuid = SVAL(inbuf, smb_uid); req->tid = SVAL(inbuf, smb_tid); req->wct = CVAL(inbuf, smb_wct); - /* Ensure we have at least wct words. */ + /* Ensure we have at least wct words and 2 bytes of bcc. */ if (smb_size + req->wct*2 > req_size) { DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n", (unsigned int)req->wct, (unsigned int)req_size)); exit_server_cleanly("Invalid SMB request"); } + /* Ensure bcc is correct. */ + if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + req_size) { + DEBUG(0,("init_smb_request: invalid bcc number %u " + "(wct = %u, size %u)\n", + (unsigned int)smb_buflen(inbuf), + (unsigned int)req->wct, + (unsigned int)req_size)); + exit_server_cleanly("Invalid SMB request"); + } req->inbuf = inbuf; req->outbuf = NULL; } |