summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorDavid Disseldorp <ddiss@samba.org>2013-01-15 17:23:12 +0100
committerJeremy Allison <jra@samba.org>2013-01-17 00:59:44 +0100
commit8e63a72ec1e9ea9efcbcdf156274afaed9a4b2ea (patch)
tree0008ea0a9184ca51483c9ab6c69335c7054d02ad /source3/smbd
parentbf07c33dac37442b8f5b49e68653f8ef629ff679 (diff)
downloadsamba-8e63a72ec1e9ea9efcbcdf156274afaed9a4b2ea.tar.gz
samba-8e63a72ec1e9ea9efcbcdf156274afaed9a4b2ea.tar.bz2
samba-8e63a72ec1e9ea9efcbcdf156274afaed9a4b2ea.zip
smb2_ioctl: copychunk request max output validation
Check that the copychunk ioctl request maximum output specified by the client is large enough to hold copychunk response data. Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 17 00:59:44 CET 2013 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_ioctl_network_fs.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index 8341f2b327..76625ab510 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -175,6 +175,7 @@ static struct tevent_req *fsctl_srv_copychunk_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct files_struct *dst_fsp,
DATA_BLOB *in_input,
+ size_t in_max_output,
struct smbd_smb2_request *smb2req)
{
struct tevent_req *req;
@@ -192,6 +193,16 @@ static struct tevent_req *fsctl_srv_copychunk_send(TALLOC_CTX *mem_ctx,
return NULL;
}
state->conn = dst_fsp->conn;
+
+ if (in_max_output < sizeof(struct srv_copychunk_rsp)) {
+ DEBUG(3, ("max output %d not large enough to hold copy chunk "
+ "response %lu\n", (int)in_max_output,
+ sizeof(struct srv_copychunk_rsp)));
+ state->status = NT_STATUS_INVALID_PARAMETER;
+ tevent_req_nterror(req, state->status);
+ return tevent_req_post(req, ev);
+ }
+
ndr_ret = ndr_pull_struct_blob(in_input, mem_ctx, &cc_copy,
(ndr_pull_flags_fn_t)ndr_pull_srv_copychunk_copy);
if (ndr_ret != NDR_ERR_SUCCESS) {
@@ -515,6 +526,7 @@ struct tevent_req *smb2_ioctl_network_fs(uint32_t ctl_code,
case FSCTL_SRV_COPYCHUNK:
subreq = fsctl_srv_copychunk_send(state, ev, state->fsp,
&state->in_input,
+ state->in_max_output,
state->smb2req);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);