diff options
author | Jeremy Allison <jra@samba.org> | 2008-05-28 09:31:42 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-05-28 09:31:42 -0700 |
commit | d36434f31268b75040311352f23c92c9a61e8cda (patch) | |
tree | fc19fb649d4a6ecf29f43b872975c7f6eeaeebd3 /source3/lib | |
parent | 611072fc1cd94e6c9d56ce910fd13f007f6ecb84 (diff) | |
download | samba-d36434f31268b75040311352f23c92c9a61e8cda.tar.gz samba-d36434f31268b75040311352f23c92c9a61e8cda.tar.bz2 samba-d36434f31268b75040311352f23c92c9a61e8cda.zip |
Security fix for CVE-2008-1105: Boundary failure when parsing SMB responses
can result in a buffer overrun.
Jeremy.
(This used to be commit 23b825e9d2c74c5b940cf4d3aa56c18692259972)
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/util_sock.c | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c index f252377b7e..b2a1ece5db 100644 --- a/source3/lib/util_sock.c +++ b/source3/lib/util_sock.c @@ -1151,16 +1151,15 @@ NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout, } /**************************************************************************** - Read an smb from a fd. Note that the buffer *MUST* be of size - BUFFER_SIZE+SAFETY_MARGIN. + Read an smb from a fd. The timeout is in milliseconds. This function will return on receipt of a session keepalive packet. maxlen is the max number of bytes to return, not including the 4 byte - length. If zero it means BUFFER_SIZE+SAFETY_MARGIN limit. + length. If zero it means buflen limit. Doesn't check the MAC on signed packets. ****************************************************************************/ -NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout, +NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout, size_t maxlen, size_t *p_len) { size_t len; @@ -1173,17 +1172,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout, return status; } - /* - * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes - * of header. Don't print the error if this fits.... JRA. - */ - - if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { + if (len > buflen) { DEBUG(0,("Invalid packet length! (%lu bytes).\n", (unsigned long)len)); - if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { - return NT_STATUS_INVALID_PARAMETER; - } + return NT_STATUS_INVALID_PARAMETER; } if(len > 0) { |