summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-08-10 21:33:58 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:28 -0500
commitd465b468c1bd1e43fc1bf1622415ed98dafa6627 (patch)
treeab21890d7c64946106fc70d43a78a60cc40be303
parentc898c519843e9bca4104e1414d9f5e0dbad77950 (diff)
downloadsamba-d465b468c1bd1e43fc1bf1622415ed98dafa6627.tar.gz
samba-d465b468c1bd1e43fc1bf1622415ed98dafa6627.tar.bz2
samba-d465b468c1bd1e43fc1bf1622415ed98dafa6627.zip
r24319: Check wct in reply_read_and_X
(This used to be commit 9ddacdfa131c4a4a852b3d30db1ee22d1852d0c2)
-rw-r--r--source3/smbd/reply.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index c02bbc8719..3e35c0064b 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2860,10 +2860,10 @@ normal_read:
int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
{
- files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2));
- SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+ files_struct *fsp;
+ SMB_OFF_T startpos;
ssize_t nread = -1;
- size_t smb_maxcnt = SVAL(inbuf,smb_vwv5);
+ size_t smb_maxcnt;
BOOL big_readX = False;
#if 0
size_t smb_mincnt = SVAL(inbuf,smb_vwv6);
@@ -2871,6 +2871,14 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
START_PROFILE(SMBreadX);
+ if ((CVAL(inbuf, smb_wct) != 10) && (CVAL(inbuf, smb_wct) != 12)) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ fsp = file_fsp(SVAL(inbuf,smb_vwv2));
+ startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+ smb_maxcnt = SVAL(inbuf,smb_vwv5);
+
/* If it's an IPC, pass off the pipe handler. */
if (IS_IPC(conn)) {
END_PROFILE(SMBreadX);