summaryrefslogtreecommitdiff
path: root/source3/smbd/trans2.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-16 20:44:41 +0000
committerJeremy Allison <jra@samba.org>2003-10-16 20:44:41 +0000
commitcdd02fa792c460b6022738d23e64ff4e3526ec11 (patch)
treee66cecda2b1cc0d74fe879ac7560bb70a38a5c0a /source3/smbd/trans2.c
parenteafd0371402009db8051d04b1ae988e8f8817031 (diff)
downloadsamba-cdd02fa792c460b6022738d23e64ff4e3526ec11.tar.gz
samba-cdd02fa792c460b6022738d23e64ff4e3526ec11.tar.bz2
samba-cdd02fa792c460b6022738d23e64ff4e3526ec11.zip
Tidyup wrap checking.
Jeremy. (This used to be commit 707554bcce91f33d0931f9d99050aab50765f5ff)
Diffstat (limited to 'source3/smbd/trans2.c')
-rw-r--r--source3/smbd/trans2.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 3d53387c9f..0f02403184 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3497,7 +3497,8 @@ int reply_trans2(connection_struct *conn,
unsigned int psoff = SVAL(inbuf, smb_psoff);
if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + psoff + num_params > inbuf + length)
+ if ((smb_base(inbuf) + psoff + num_params > inbuf + length) ||
+ (smb_base(inbuf) + psoff + num_params < smb_base(inbuf)))
goto bad_param;
memcpy( params, smb_base(inbuf) + psoff, num_params);
}
@@ -3505,7 +3506,8 @@ int reply_trans2(connection_struct *conn,
unsigned int dsoff = SVAL(inbuf, smb_dsoff);
if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
+ if ((smb_base(inbuf) + dsoff + num_data > inbuf + length) ||
+ (smb_base(inbuf) + dsoff + num_data < smb_base(inbuf)))
goto bad_param;
memcpy( data, smb_base(inbuf) + dsoff, num_data);
}
@@ -3566,7 +3568,10 @@ int reply_trans2(connection_struct *conn,
if ((param_disp + num_params < param_disp) ||
(param_disp + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
+ if (param_disp > total_params)
+ goto bad_param;
+ if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+ (smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
goto bad_param;
if (params + param_disp < params)
goto bad_param;
@@ -3579,7 +3584,10 @@ int reply_trans2(connection_struct *conn,
if ((data_disp + num_data < data_disp) ||
(data_disp + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
+ if (data_disp > total_data)
+ goto bad_param;
+ if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+ (smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
goto bad_param;
if (data + data_disp < data)
goto bad_param;