s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf()

Subtract 4 from smb_size (39) here as the length
of the SMB reply following the 4 byte type+length
field can be up to 0xFFFFFF bytes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 11 insertions, 6 deletions

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index fcb970d77b..1ebda799c9 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
 			  const char *inbuf, char **outbuf, uint8_t num_words,
 			  uint32_t num_bytes)
 {
+	size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
+
 	/*
-         * Protect against integer wrap
-         */
-	if ((num_bytes > 0xffffff)
-	    || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+	 * Protect against integer wrap.
+	 * The SMB layer reply can be up to 0xFFFFFF bytes.
+	 */
+	if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
 		char *msg;
 		if (asprintf(&msg, "num_bytes too large: %u",
 			     (unsigned)num_bytes) == -1) {
@@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
 		smb_panic(msg);
 	}
 
+	/*
+	 * Here we include the NBT header for now.
+	 */
 	*outbuf = talloc_array(mem_ctx, char,
-			       smb_size + num_words*2 + num_bytes);
+			       NBT_HDR_SIZE + smb_len);
 	if (*outbuf == NULL) {
 		return false;
 	}
@@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
 	 * himself
 	 */
 	if (num_words != 0) {
-		memset(*outbuf + smb_vwv0, 0, num_words*2);
+		memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
 	}
 
 	return true;