diff options
| -rw-r--r-- | source3/smbd/conn.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c index 52182f3129..73d2ed7003 100644 --- a/source3/smbd/conn.c +++ b/source3/smbd/conn.c @@ -107,7 +107,7 @@ find_again: int newsz = bmap->n + BITMAP_BLOCK_SZ; struct bitmap * nbmap; - if (newsz <= 0) { + if (newsz <= oldsz) { /* Integer wrap. */ DEBUG(0,("ERROR! Out of connection structures\n")); return NULL; @@ -131,6 +131,16 @@ find_again: goto find_again; } + /* The bitmap position is used below as the connection number + * conn->cnum). This ends up as the TID field in the SMB header, + * which is limited to 16 bits (we skip 0xffff which is the + * NULL TID). + */ + if (i > 65534) { + DEBUG(0, ("Maximum connection limit reached\n")); + return NULL; + } + if ((mem_ctx=talloc_init("connection_struct"))==NULL) { DEBUG(0,("talloc_init(connection_struct) failed!\n")); return NULL; |