diff options
author | Volker Lendecke <vlendec@samba.org> | 2007-08-03 13:13:57 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:15 -0500 |
commit | 675a484670fd778947661c9227b332c035fe1cf8 (patch) | |
tree | 9ccd739763161bdf8975012b1c0bf5102ef9d768 /source3 | |
parent | c28bd38aa67b2f73640282685b76104382650b47 (diff) | |
download | samba-675a484670fd778947661c9227b332c035fe1cf8.tar.gz samba-675a484670fd778947661c9227b332c035fe1cf8.tar.bz2 samba-675a484670fd778947661c9227b332c035fe1cf8.zip |
r24155: Check wct in reply_trans2
(This used to be commit e0a708c79b4db4aab84022d568b5e7bf519e4b5a)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/trans2.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index acaabeea54..33aa3d0036 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -7018,16 +7018,27 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf, int size, int bufsize) { int outsize = 0; - unsigned int dsoff = SVAL(inbuf, smb_dsoff); - unsigned int dscnt = SVAL(inbuf, smb_dscnt); - unsigned int psoff = SVAL(inbuf, smb_psoff); - unsigned int pscnt = SVAL(inbuf, smb_pscnt); - unsigned int tran_call = SVAL(inbuf, smb_setup0); + unsigned int dsoff; + unsigned int dscnt; + unsigned int psoff; + unsigned int pscnt; + unsigned int tran_call; struct trans_state *state; NTSTATUS result; START_PROFILE(SMBtrans2); + if (SVAL(inbuf, smb_wct) < 8) { + END_PROFILE(SMBtrans2); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + dsoff = SVAL(inbuf, smb_dsoff); + dscnt = SVAL(inbuf, smb_dscnt); + psoff = SVAL(inbuf, smb_psoff); + pscnt = SVAL(inbuf, smb_pscnt); + tran_call = SVAL(inbuf, smb_setup0); + result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid)); if (!NT_STATUS_IS_OK(result)) { DEBUG(2, ("Got invalid trans2 request: %s\n", @@ -7198,6 +7209,11 @@ int reply_transs2(connection_struct *conn, START_PROFILE(SMBtranss2); + if (SVAL(inbuf, smb_wct) < 8) { + END_PROFILE(SMBtranss2); + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + show_msg(inbuf); for (state = conn->pending_trans; state != NULL; |