diff options
author | Jeremy Allison <jra@samba.org> | 2013-03-18 15:05:24 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2013-03-20 09:32:26 -0700 |
commit | 36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80 (patch) | |
tree | ca340b3d48a3456a7d0c99b560d7b6f1fc537ef8 /source3 | |
parent | b80111adb3a30ff386b3c45fcf962c417256bb59 (diff) | |
download | samba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.tar.gz samba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.tar.bz2 samba-36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80.zip |
s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf()
Subtract 4 from smb_size (39) here as the length
of the SMB reply following the 4 byte type+length
field can be up to 0xFFFFFF bytes.
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/process.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index fcb970d77b..1ebda799c9 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, const char *inbuf, char **outbuf, uint8_t num_words, uint32_t num_bytes) { + size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes; + /* - * Protect against integer wrap - */ - if ((num_bytes > 0xffffff) - || ((num_bytes + smb_size + num_words*2) > 0xffffff)) { + * Protect against integer wrap. + * The SMB layer reply can be up to 0xFFFFFF bytes. + */ + if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) { char *msg; if (asprintf(&msg, "num_bytes too large: %u", (unsigned)num_bytes) == -1) { @@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, smb_panic(msg); } + /* + * Here we include the NBT header for now. + */ *outbuf = talloc_array(mem_ctx, char, - smb_size + num_words*2 + num_bytes); + NBT_HDR_SIZE + smb_len); if (*outbuf == NULL) { return false; } @@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, * himself */ if (num_words != 0) { - memset(*outbuf + smb_vwv0, 0, num_words*2); + memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words)); } return true; |