summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-08-13 08:50:09 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:35 -0500
commitecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd (patch)
treea922f5f70a989a9f4a424868ff49490e5b460ae3
parent2d8e4456cd8f0bff60e164c685e69ca9214bacb2 (diff)
downloadsamba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.tar.gz
samba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.tar.bz2
samba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.zip
r24357: Check wct in reply_nttrans[s]
(This used to be commit 9ab87e644e4dc54ebbcb8ad300fe338f4a809ba9)
-rw-r--r--source3/smbd/nttrans.c27
1 files changed, 21 insertions, 6 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 1500c355d1..566e03008f 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -3176,17 +3176,27 @@ int reply_nttrans(connection_struct *conn,
char *inbuf,char *outbuf,int size,int bufsize)
{
int outsize = 0;
- uint32 pscnt = IVAL(inbuf,smb_nt_ParameterCount);
- uint32 psoff = IVAL(inbuf,smb_nt_ParameterOffset);
- uint32 dscnt = IVAL(inbuf,smb_nt_DataCount);
- uint32 dsoff = IVAL(inbuf,smb_nt_DataOffset);
-
- uint16 function_code = SVAL( inbuf, smb_nt_Function);
+ uint32 pscnt;
+ uint32 psoff;
+ uint32 dscnt;
+ uint32 dsoff;
+ uint16 function_code;
NTSTATUS result;
struct trans_state *state;
START_PROFILE(SMBnttrans);
+ if (CVAL(inbuf, smb_wct) < 19) {
+ END_PROFILE(SMBnttrans);
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ pscnt = IVAL(inbuf,smb_nt_ParameterCount);
+ psoff = IVAL(inbuf,smb_nt_ParameterOffset);
+ dscnt = IVAL(inbuf,smb_nt_DataCount);
+ dsoff = IVAL(inbuf,smb_nt_DataOffset);
+ function_code = SVAL( inbuf, smb_nt_Function);
+
if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
END_PROFILE(SMBnttrans);
return ERROR_DOS(ERRSRV,ERRaccess);
@@ -3353,6 +3363,11 @@ int reply_nttranss(connection_struct *conn, char *inbuf,char *outbuf,
show_msg(inbuf);
+ if (CVAL(inbuf, smb_wct) < 18) {
+ END_PROFILE(SMBnttranss);
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
for (state = conn->pending_trans; state != NULL;
state = state->next) {
if (state->mid == SVAL(inbuf,smb_mid)) {