summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2013-03-18 15:05:24 -0700
committerJeremy Allison <jra@samba.org>2013-03-20 09:32:26 -0700
commit36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80 (patch)
treeca340b3d48a3456a7d0c99b560d7b6f1fc537ef8 /source3
parentb80111adb3a30ff386b3c45fcf962c417256bb59 (diff)
downloadsamba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.tar.gz
samba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.tar.bz2
samba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.zip
s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf()
Subtract 4 from smb_size (39) here as the length of the SMB reply following the 4 byte type+length field can be up to 0xFFFFFF bytes. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/process.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index fcb970d77b..1ebda799c9 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
const char *inbuf, char **outbuf, uint8_t num_words,
uint32_t num_bytes)
{
+ size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
+
/*
- * Protect against integer wrap
- */
- if ((num_bytes > 0xffffff)
- || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+ * Protect against integer wrap.
+ * The SMB layer reply can be up to 0xFFFFFF bytes.
+ */
+ if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
char *msg;
if (asprintf(&msg, "num_bytes too large: %u",
(unsigned)num_bytes) == -1) {
@@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
smb_panic(msg);
}
+ /*
+ * Here we include the NBT header for now.
+ */
*outbuf = talloc_array(mem_ctx, char,
- smb_size + num_words*2 + num_bytes);
+ NBT_HDR_SIZE + smb_len);
if (*outbuf == NULL) {
return false;
}
@@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
* himself
*/
if (num_words != 0) {
- memset(*outbuf + smb_vwv0, 0, num_words*2);
+ memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
}
return true;