summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/conn.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index 52182f3129..73d2ed7003 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -107,7 +107,7 @@ find_again:
int newsz = bmap->n + BITMAP_BLOCK_SZ;
struct bitmap * nbmap;
- if (newsz <= 0) {
+ if (newsz <= oldsz) {
/* Integer wrap. */
DEBUG(0,("ERROR! Out of connection structures\n"));
return NULL;
@@ -131,6 +131,16 @@ find_again:
goto find_again;
}
+ /* The bitmap position is used below as the connection number
+ * conn->cnum). This ends up as the TID field in the SMB header,
+ * which is limited to 16 bits (we skip 0xffff which is the
+ * NULL TID).
+ */
+ if (i > 65534) {
+ DEBUG(0, ("Maximum connection limit reached\n"));
+ return NULL;
+ }
+
if ((mem_ctx=talloc_init("connection_struct"))==NULL) {
DEBUG(0,("talloc_init(connection_struct) failed!\n"));
return NULL;