summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/ipc.c20
-rw-r--r--source3/smbd/nttrans.c16
-rw-r--r--source3/smbd/trans2.c16
3 files changed, 38 insertions, 14 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 39072f9b91..9bdd02b059 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -388,7 +388,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
}
if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
goto bad_param;
- if (smb_base(inbuf)+dsoff+dscnt > inbuf + size)
+ if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
+ (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
goto bad_param;
memcpy(data,smb_base(inbuf)+dsoff,dscnt);
@@ -402,8 +403,9 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
return(ERROR_DOS(ERRDOS,ERRnomem));
}
if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
- goto bad_param;
- if (smb_base(inbuf)+psoff+pscnt > inbuf + size)
+ goto bad_param;
+ if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
+ (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)));
goto bad_param;
memcpy(params,smb_base(inbuf)+psoff,pscnt);
@@ -487,8 +489,11 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
if (pdisp+pcnt >= tpscnt)
goto bad_param;
if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize)
+ goto bad_param;
+ if (pdisp > tpscnt)
+ goto bad_param;
+ if ((smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) ||
+ (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
goto bad_param;
if (params + pdisp < params)
goto bad_param;
@@ -501,7 +506,10 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
goto bad_param;
if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
goto bad_param;
- if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize)
+ if (ddisp > tdscnt)
+ goto bad_param;
+ if ((smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) ||
+ (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
goto bad_param;
if (data + ddisp < data)
goto bad_param;
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index b4e7a70088..19af61f190 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2463,7 +2463,8 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
if ((parameter_offset + parameter_count < parameter_offset) ||
(parameter_offset + parameter_count < parameter_count))
goto bad_param;
- if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)
+ if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)||
+ (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
goto bad_param;
memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
@@ -2473,7 +2474,8 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
DEBUG(10,("reply_nttrans: data_count = %d\n",data_count));
if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count))
goto bad_param;
- if (smb_base(inbuf) + data_offset + data_count > inbuf + length)
+ if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
+ (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
goto bad_param;
memcpy( data, smb_base(inbuf) + data_offset, data_count);
@@ -2534,7 +2536,10 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
if ((parameter_displacement + parameter_count < parameter_displacement) ||
(parameter_displacement + parameter_count < parameter_count))
goto bad_param;
- if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize)
+ if (parameter_displacement > total_parameter_count)
+ goto bad_param;
+ if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+ (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
goto bad_param;
if (parameter_displacement + params < params)
goto bad_param;
@@ -2548,7 +2553,10 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
if ((data_displacement + data_count < data_displacement) ||
(data_displacement + data_count < data_count))
goto bad_param;
- if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize)
+ if (data_displacement > total_data_count)
+ goto bad_param;
+ if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+ (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
goto bad_param;
if (data_displacement + data < data)
goto bad_param;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 3d53387c9f..0f02403184 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3497,7 +3497,8 @@ int reply_trans2(connection_struct *conn,
unsigned int psoff = SVAL(inbuf, smb_psoff);
if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + psoff + num_params > inbuf + length)
+ if ((smb_base(inbuf) + psoff + num_params > inbuf + length) ||
+ (smb_base(inbuf) + psoff + num_params < smb_base(inbuf)))
goto bad_param;
memcpy( params, smb_base(inbuf) + psoff, num_params);
}
@@ -3505,7 +3506,8 @@ int reply_trans2(connection_struct *conn,
unsigned int dsoff = SVAL(inbuf, smb_dsoff);
if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
+ if ((smb_base(inbuf) + dsoff + num_data > inbuf + length) ||
+ (smb_base(inbuf) + dsoff + num_data < smb_base(inbuf)))
goto bad_param;
memcpy( data, smb_base(inbuf) + dsoff, num_data);
}
@@ -3566,7 +3568,10 @@ int reply_trans2(connection_struct *conn,
if ((param_disp + num_params < param_disp) ||
(param_disp + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
+ if (param_disp > total_params)
+ goto bad_param;
+ if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+ (smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
goto bad_param;
if (params + param_disp < params)
goto bad_param;
@@ -3579,7 +3584,10 @@ int reply_trans2(connection_struct *conn,
if ((data_disp + num_data < data_disp) ||
(data_disp + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
+ if (data_disp > total_data)
+ goto bad_param;
+ if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+ (smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
goto bad_param;
if (data + data_disp < data)
goto bad_param;