summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source3/smbd/process.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index bf3abf9758..35f1d6fb3c 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -70,13 +70,22 @@ void init_smb_request(struct smb_request *req, const uint8 *inbuf)
req->vuid = SVAL(inbuf, smb_uid);
req->tid = SVAL(inbuf, smb_tid);
req->wct = CVAL(inbuf, smb_wct);
- /* Ensure we have at least wct words. */
+ /* Ensure we have at least wct words and 2 bytes of bcc. */
if (smb_size + req->wct*2 > req_size) {
DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
(unsigned int)req->wct,
(unsigned int)req_size));
exit_server_cleanly("Invalid SMB request");
}
+ /* Ensure bcc is correct. */
+ if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + req_size) {
+ DEBUG(0,("init_smb_request: invalid bcc number %u "
+ "(wct = %u, size %u)\n",
+ (unsigned int)smb_buflen(inbuf),
+ (unsigned int)req->wct,
+ (unsigned int)req_size));
+ exit_server_cleanly("Invalid SMB request");
+ }
req->inbuf = inbuf;
req->outbuf = NULL;
}
generated by cgit (git 2.34.1) at 2024-08-22 19:45:40 +0000