diff options
| -rw-r--r-- | source3/smbd/process.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index fcb970d77b..1ebda799c9 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, const char *inbuf, char **outbuf, uint8_t num_words, uint32_t num_bytes) { + size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes; + /* - * Protect against integer wrap - */ - if ((num_bytes > 0xffffff) - || ((num_bytes + smb_size + num_words*2) > 0xffffff)) { + * Protect against integer wrap. + * The SMB layer reply can be up to 0xFFFFFF bytes. + */ + if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) { char *msg; if (asprintf(&msg, "num_bytes too large: %u", (unsigned)num_bytes) == -1) { @@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, smb_panic(msg); } + /* + * Here we include the NBT header for now. + */ *outbuf = talloc_array(mem_ctx, char, - smb_size + num_words*2 + num_bytes); + NBT_HDR_SIZE + smb_len); if (*outbuf == NULL) { return false; } @@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, * himself */ if (num_words != 0) { - memset(*outbuf + smb_vwv0, 0, num_words*2); + memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words)); } return true; |