diff options
author | Volker Lendecke <vlendec@samba.org> | 2007-08-13 08:50:09 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:35 -0500 |
commit | ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd (patch) | |
tree | a922f5f70a989a9f4a424868ff49490e5b460ae3 | |
parent | 2d8e4456cd8f0bff60e164c685e69ca9214bacb2 (diff) | |
download | samba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.tar.gz samba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.tar.bz2 samba-ecb32af916fbc3fdc5fc48cf0a8c0bbe6ace2ddd.zip |
r24357: Check wct in reply_nttrans[s]
(This used to be commit 9ab87e644e4dc54ebbcb8ad300fe338f4a809ba9)
-rw-r--r-- | source3/smbd/nttrans.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 1500c355d1..566e03008f 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -3176,17 +3176,27 @@ int reply_nttrans(connection_struct *conn, char *inbuf,char *outbuf,int size,int bufsize) { int outsize = 0; - uint32 pscnt = IVAL(inbuf,smb_nt_ParameterCount); - uint32 psoff = IVAL(inbuf,smb_nt_ParameterOffset); - uint32 dscnt = IVAL(inbuf,smb_nt_DataCount); - uint32 dsoff = IVAL(inbuf,smb_nt_DataOffset); - - uint16 function_code = SVAL( inbuf, smb_nt_Function); + uint32 pscnt; + uint32 psoff; + uint32 dscnt; + uint32 dsoff; + uint16 function_code; NTSTATUS result; struct trans_state *state; START_PROFILE(SMBnttrans); + if (CVAL(inbuf, smb_wct) < 19) { + END_PROFILE(SMBnttrans); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + pscnt = IVAL(inbuf,smb_nt_ParameterCount); + psoff = IVAL(inbuf,smb_nt_ParameterOffset); + dscnt = IVAL(inbuf,smb_nt_DataCount); + dsoff = IVAL(inbuf,smb_nt_DataOffset); + function_code = SVAL( inbuf, smb_nt_Function); + if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) { END_PROFILE(SMBnttrans); return ERROR_DOS(ERRSRV,ERRaccess); @@ -3353,6 +3363,11 @@ int reply_nttranss(connection_struct *conn, char *inbuf,char *outbuf, show_msg(inbuf); + if (CVAL(inbuf, smb_wct) < 18) { + END_PROFILE(SMBnttranss); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + for (state = conn->pending_trans; state != NULL; state = state->next) { if (state->mid == SVAL(inbuf,smb_mid)) { |