a bit of bounds checking

(This used to be commit d40199f4fe1344058267859820cb36b77a20442a)

1 files changed, 12 insertions, 0 deletions

diff --git a/source3/client/clientutil.c b/source3/client/clientutil.c
index d16e5a471f..ed5497782b 100644
--- a/source3/client/clientutil.c
+++ b/source3/client/clientutil.c
@@ -126,6 +126,13 @@ BOOL cli_receive_trans_response(char *inbuf,int trans,int *data_len,
     {
       this_data = SVAL(inbuf,smb_drcnt);
       this_param = SVAL(inbuf,smb_prcnt);
+
+      if (this_data + *data_len > total_data ||
+	  this_param + *param_len > total_param) {
+	      DEBUG(1,("Data overflow in cli_receive_trans_response\n"));
+	      return False;
+      }
+
       if (this_data)
 	memcpy(*data + SVAL(inbuf,smb_drdisp),
 	       smb_base(inbuf) + SVAL(inbuf,smb_droff),
@@ -453,6 +460,11 @@ BOOL cli_send_login(char *inbuf, char *outbuf, BOOL start_session, BOOL use_setu
       /* send a session setup command */
       bzero(outbuf,smb_size);
 
+      if (passlen > MAX_PASSWORD_LENGTH) {
+	      DEBUG(1,("password too long %d\n", passlen));
+	      return False;
+      }
+
       if (Protocol < PROTOCOL_NT1) {
 	set_message(outbuf,10,1 + strlen(username) + passlen,True);
 	CVAL(outbuf,smb_com) = SMBsesssetupX;