diff options
Diffstat (limited to 'source3/libsmb/clitrans.c')
-rw-r--r-- | source3/libsmb/clitrans.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c index 98c09ed6e7..ec63bc3b9d 100644 --- a/source3/libsmb/clitrans.c +++ b/source3/libsmb/clitrans.c @@ -1204,9 +1204,12 @@ static void cli_trans_done(struct tevent_req *subreq) } NTSTATUS cli_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - uint16_t **setup, uint8_t *num_setup, - uint8_t **param, uint32_t *num_param, - uint8_t **data, uint32_t *num_data) + uint16_t **setup, uint8_t min_setup, + uint8_t *num_setup, + uint8_t **param, uint32_t min_param, + uint32_t *num_param, + uint8_t **data, uint32_t min_data, + uint32_t *num_data) { struct cli_trans_state *state = tevent_req_data( req, struct cli_trans_state); @@ -1216,6 +1219,12 @@ NTSTATUS cli_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, return status; } + if ((state->num_rsetup < min_setup) + || (state->rparam.total < min_param) + || (state->rdata.total < min_data)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (setup != NULL) { *setup = talloc_move(mem_ctx, &state->rsetup); *num_setup = state->num_rsetup; @@ -1247,9 +1256,9 @@ NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli, uint16_t *setup, uint8_t num_setup, uint8_t max_setup, uint8_t *param, uint32_t num_param, uint32_t max_param, uint8_t *data, uint32_t num_data, uint32_t max_data, - uint16_t **rsetup, uint8_t *num_rsetup, - uint8_t **rparam, uint32_t *num_rparam, - uint8_t **rdata, uint32_t *num_rdata) + uint16_t **rsetup, uint8_t min_rsetup, uint8_t *num_rsetup, + uint8_t **rparam, uint32_t min_rparam, uint32_t *num_rparam, + uint8_t **rdata, uint32_t min_rdata, uint32_t *num_rdata) { TALLOC_CTX *frame = talloc_stackframe(); struct event_context *ev; @@ -1285,8 +1294,9 @@ NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli, goto fail; } - status = cli_trans_recv(req, mem_ctx, rsetup, num_rsetup, - rparam, num_rparam, rdata, num_rdata); + status = cli_trans_recv(req, mem_ctx, rsetup, min_rsetup, num_rsetup, + rparam, min_rparam, num_rparam, + rdata, min_rdata, num_rdata); fail: TALLOC_FREE(frame); if (!NT_STATUS_IS_OK(status)) { |