summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-08-03 13:13:57 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:15 -0500
commit675a484670fd778947661c9227b332c035fe1cf8 (patch)
tree9ccd739763161bdf8975012b1c0bf5102ef9d768 /source3/smbd
parentc28bd38aa67b2f73640282685b76104382650b47 (diff)
downloadsamba-675a484670fd778947661c9227b332c035fe1cf8.tar.gz
samba-675a484670fd778947661c9227b332c035fe1cf8.tar.bz2
samba-675a484670fd778947661c9227b332c035fe1cf8.zip
r24155: Check wct in reply_trans2
(This used to be commit e0a708c79b4db4aab84022d568b5e7bf519e4b5a)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/trans2.c26
1 files changed, 21 insertions, 5 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index acaabeea54..33aa3d0036 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -7018,16 +7018,27 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,
int size, int bufsize)
{
int outsize = 0;
- unsigned int dsoff = SVAL(inbuf, smb_dsoff);
- unsigned int dscnt = SVAL(inbuf, smb_dscnt);
- unsigned int psoff = SVAL(inbuf, smb_psoff);
- unsigned int pscnt = SVAL(inbuf, smb_pscnt);
- unsigned int tran_call = SVAL(inbuf, smb_setup0);
+ unsigned int dsoff;
+ unsigned int dscnt;
+ unsigned int psoff;
+ unsigned int pscnt;
+ unsigned int tran_call;
struct trans_state *state;
NTSTATUS result;
START_PROFILE(SMBtrans2);
+ if (SVAL(inbuf, smb_wct) < 8) {
+ END_PROFILE(SMBtrans2);
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ dsoff = SVAL(inbuf, smb_dsoff);
+ dscnt = SVAL(inbuf, smb_dscnt);
+ psoff = SVAL(inbuf, smb_psoff);
+ pscnt = SVAL(inbuf, smb_pscnt);
+ tran_call = SVAL(inbuf, smb_setup0);
+
result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid));
if (!NT_STATUS_IS_OK(result)) {
DEBUG(2, ("Got invalid trans2 request: %s\n",
@@ -7198,6 +7209,11 @@ int reply_transs2(connection_struct *conn,
START_PROFILE(SMBtranss2);
+ if (SVAL(inbuf, smb_wct) < 8) {
+ END_PROFILE(SMBtranss2);
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
show_msg(inbuf);
for (state = conn->pending_trans; state != NULL;