summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-05-28 09:31:42 -0700
committerJeremy Allison <jra@samba.org>2008-05-28 09:31:42 -0700
commitd36434f31268b75040311352f23c92c9a61e8cda (patch)
treefc19fb649d4a6ecf29f43b872975c7f6eeaeebd3 /source3/lib
parent611072fc1cd94e6c9d56ce910fd13f007f6ecb84 (diff)
downloadsamba-d36434f31268b75040311352f23c92c9a61e8cda.tar.gz
samba-d36434f31268b75040311352f23c92c9a61e8cda.tar.bz2
samba-d36434f31268b75040311352f23c92c9a61e8cda.zip
Security fix for CVE-2008-1105: Boundary failure when parsing SMB responses
can result in a buffer overrun. Jeremy. (This used to be commit 23b825e9d2c74c5b940cf4d3aa56c18692259972)
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/util_sock.c18
1 files changed, 5 insertions, 13 deletions
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
index f252377b7e..b2a1ece5db 100644
--- a/source3/lib/util_sock.c
+++ b/source3/lib/util_sock.c
@@ -1151,16 +1151,15 @@ NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout,
}
/****************************************************************************
- Read an smb from a fd. Note that the buffer *MUST* be of size
- BUFFER_SIZE+SAFETY_MARGIN.
+ Read an smb from a fd.
The timeout is in milliseconds.
This function will return on receipt of a session keepalive packet.
maxlen is the max number of bytes to return, not including the 4 byte
- length. If zero it means BUFFER_SIZE+SAFETY_MARGIN limit.
+ length. If zero it means buflen limit.
Doesn't check the MAC on signed packets.
****************************************************************************/
-NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
+NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout,
size_t maxlen, size_t *p_len)
{
size_t len;
@@ -1173,17 +1172,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
return status;
}
- /*
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
- * of header. Don't print the error if this fits.... JRA.
- */
-
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+ if (len > buflen) {
DEBUG(0,("Invalid packet length! (%lu bytes).\n",
(unsigned long)len));
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
+ return NT_STATUS_INVALID_PARAMETER;
}
if(len > 0) {