diff options
| author | Volker Lendecke <vl@samba.org> | 2013-08-27 09:37:34 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2013-08-28 23:37:08 +0200 |
| commit | 40f60024ca19e33cbbe9825b42692f386a8f1dd9 (patch) | |
| tree | a9d14846733b4409eb6ec87b9d42393d180b6bd5 /source3/smbd | |
| parent | 91939614760837b2ac2c6bb8b5daac108a4f4670 (diff) | |
| download | samba-40f60024ca19e33cbbe9825b42692f386a8f1dd9.tar.gz samba-40f60024ca19e33cbbe9825b42692f386a8f1dd9.tar.bz2 samba-40f60024ca19e33cbbe9825b42692f386a8f1dd9.zip | |
smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo
Also, don't overflow the client buffer
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/smb2_getinfo.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index c6a143331b..4111aa1dc0 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -406,6 +406,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } + if (data_size > in_output_buffer_length) { + state->out_output_buffer.length = + in_output_buffer_length; + status = STATUS_BUFFER_OVERFLOW; + } } SAFE_FREE(data); break; @@ -454,6 +459,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } + if (data_size > in_output_buffer_length) { + state->out_output_buffer.length = + in_output_buffer_length; + status = STATUS_BUFFER_OVERFLOW; + } } SAFE_FREE(data); break; |