summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/process.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index fcb970d77b..1ebda799c9 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
const char *inbuf, char **outbuf, uint8_t num_words,
uint32_t num_bytes)
{
+ size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
+
/*
- * Protect against integer wrap
- */
- if ((num_bytes > 0xffffff)
- || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+ * Protect against integer wrap.
+ * The SMB layer reply can be up to 0xFFFFFF bytes.
+ */
+ if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
char *msg;
if (asprintf(&msg, "num_bytes too large: %u",
(unsigned)num_bytes) == -1) {
@@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
smb_panic(msg);
}
+ /*
+ * Here we include the NBT header for now.
+ */
*outbuf = talloc_array(mem_ctx, char,
- smb_size + num_words*2 + num_bytes);
+ NBT_HDR_SIZE + smb_len);
if (*outbuf == NULL) {
return false;
}
@@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
* himself
*/
if (num_words != 0) {
- memset(*outbuf + smb_vwv0, 0, num_words*2);
+ memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
}
return true;