diff options
| author | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
| commit | 450bc69ab36aff1e3011beaacced84de1a57a72a (patch) | |
| tree | 74bd868e5ba3be13f097dcd91395c24e62cd6711 /source3/smbd/nttrans.c | |
| parent | 3a9510acaed2d5e28b17934a2d110998232565e2 (diff) | |
| download | samba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.gz samba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.bz2 samba-450bc69ab36aff1e3011beaacced84de1a57a72a.zip | |
Tidyup wrap checking.
Jeremy.
(This used to be commit 41d1870a51c259f0cf17caf59928a3b38b21ea11)
Diffstat (limited to 'source3/smbd/nttrans.c')
| -rw-r--r-- | source3/smbd/nttrans.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index b4e7a70088..19af61f190 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2463,7 +2463,8 @@ due to being in oplock break state.\n", (unsigned int)function_code )); if ((parameter_offset + parameter_count < parameter_offset) || (parameter_offset + parameter_count < parameter_count)) goto bad_param; - if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) + if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)|| + (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf))) goto bad_param; memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count); @@ -2473,7 +2474,8 @@ due to being in oplock break state.\n", (unsigned int)function_code )); DEBUG(10,("reply_nttrans: data_count = %d\n",data_count)); if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count)) goto bad_param; - if (smb_base(inbuf) + data_offset + data_count > inbuf + length) + if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) || + (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf))) goto bad_param; memcpy( data, smb_base(inbuf) + data_offset, data_count); @@ -2534,7 +2536,10 @@ due to being in oplock break state.\n", (unsigned int)function_code )); if ((parameter_displacement + parameter_count < parameter_displacement) || (parameter_displacement + parameter_count < parameter_count)) goto bad_param; - if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) + if (parameter_displacement > total_parameter_count) + goto bad_param; + if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) || + (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf))) goto bad_param; if (parameter_displacement + params < params) goto bad_param; @@ -2548,7 +2553,10 @@ due to being in oplock break state.\n", (unsigned int)function_code )); if ((data_displacement + data_count < data_displacement) || (data_displacement + data_count < data_count)) goto bad_param; - if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) + if (data_displacement > total_data_count) + goto bad_param; + if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) || + (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf))) goto bad_param; if (data_displacement + data < data) goto bad_param; |