diff options
Diffstat (limited to 'source3/libsmb/clireadwrite.c')
-rw-r--r-- | source3/libsmb/clireadwrite.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c index cc982683d0..1c2a0d56c4 100644 --- a/source3/libsmb/clireadwrite.c +++ b/source3/libsmb/clireadwrite.c @@ -109,12 +109,12 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received, uint16_t *vwv; uint16_t num_bytes; uint8_t *bytes; + uint8_t *buf; NTSTATUS status; size_t size; - SMB_ASSERT(req->state >= ASYNC_REQ_DONE); - if (req->state == ASYNC_REQ_ERROR) { - return req->status; + if (async_req_is_error(req, &status)) { + return status; } status = cli_pull_reply(req, &wct, &vwv, &num_bytes, &bytes); @@ -137,6 +137,24 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received, return NT_STATUS_UNEXPECTED_IO_ERROR; } + /* + * bcc field must be valid for small reads, for large reads the 16-bit + * bcc field can't be correct. + */ + + if ((size < 0xffff) && (size > num_bytes)) { + DEBUG(5, ("server announced more bytes than sent\n")); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + buf = (uint8_t *)smb_base(cli_req->inbuf) + SVAL(vwv+6, 0); + + if (trans_oob(smb_len(cli_req->inbuf), SVAL(vwv+6, 0), size) + || (buf < bytes)) { + DEBUG(5, ("server returned invalid read&x data offset\n")); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + *rcvbuf = (uint8_t *)(smb_base(cli_req->inbuf) + SVAL(vwv + 6, 0)); *received = size; return NT_STATUS_OK; @@ -405,10 +423,10 @@ NTSTATUS cli_pull_recv(struct async_req *req, SMB_OFF_T *received) { struct cli_pull_state *state = talloc_get_type_abort( req->private_data, struct cli_pull_state); + NTSTATUS status; - SMB_ASSERT(req->state >= ASYNC_REQ_DONE); - if (req->state == ASYNC_REQ_ERROR) { - return req->status; + if (async_req_is_error(req, &status)) { + return status; } *received = state->pushed; return NT_STATUS_OK; |