summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2009-07-08 17:02:00 +0200
committerStefan Metzmacher <metze@samba.org>2009-07-10 12:24:23 +0200
commit12ed9ca36a4f8d2f3798f357a619389c26c9feea (patch)
tree2f468119f26d3b0625b793c6f6c07f633a139dab /source3/smbd
parentdb1e58256861c50a9baed8efc862ba5b5834e28b (diff)
downloadsamba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.gz
samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.bz2
samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.zip
s3:smbd: fix parsing of invalid SMB2 requests.
Because of 0 - 2 => 0xFFFFFFFE, we got EMSGSIZE from the tstream layer. And terminate the transport connection. Instead we should let the caller deal with the invalid parameter, when checking the body size. So the caller always gets at least a 2 byte body. metze
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_server.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 43afb1b901..204e57d860 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1339,7 +1339,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream,
if (invalid) {
/* the caller should check this */
- body_size = 0;
+ body_size = 2;
}
if ((body_size % 2) != 0) {
@@ -1376,7 +1376,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream,
*/
memcpy(body, hdr + SMB2_HDR_BODY, 2);
vector[0].iov_base = body + 2;
- vector[0].iov_len = req->in.vector[idx].iov_len - 2;
+ vector[0].iov_len = body_size - 2;
vector[1] = req->in.vector[idx+1];