diff options
author | Stefan Metzmacher <metze@samba.org> | 2009-07-08 17:02:00 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2009-07-10 12:24:23 +0200 |
commit | 12ed9ca36a4f8d2f3798f357a619389c26c9feea (patch) | |
tree | 2f468119f26d3b0625b793c6f6c07f633a139dab /source3/smbd | |
parent | db1e58256861c50a9baed8efc862ba5b5834e28b (diff) | |
download | samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.gz samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.tar.bz2 samba-12ed9ca36a4f8d2f3798f357a619389c26c9feea.zip |
s3:smbd: fix parsing of invalid SMB2 requests.
Because of 0 - 2 => 0xFFFFFFFE, we got EMSGSIZE
from the tstream layer. And terminate the transport
connection. Instead we should let the caller deal with
the invalid parameter, when checking the body size.
So the caller always gets at least a 2 byte body.
metze
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/smb2_server.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 43afb1b901..204e57d860 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1339,7 +1339,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream, if (invalid) { /* the caller should check this */ - body_size = 0; + body_size = 2; } if ((body_size % 2) != 0) { @@ -1376,7 +1376,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream, */ memcpy(body, hdr + SMB2_HDR_BODY, 2); vector[0].iov_base = body + 2; - vector[0].iov_len = req->in.vector[idx].iov_len - 2; + vector[0].iov_len = body_size - 2; vector[1] = req->in.vector[idx+1]; |