summaryrefslogtreecommitdiff
path: root/source3/libsmb/clitrans.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libsmb/clitrans.c')
-rw-r--r--source3/libsmb/clitrans.c26
1 files changed, 18 insertions, 8 deletions
diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 98c09ed6e7..ec63bc3b9d 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -1204,9 +1204,12 @@ static void cli_trans_done(struct tevent_req *subreq)
}
NTSTATUS cli_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- uint16_t **setup, uint8_t *num_setup,
- uint8_t **param, uint32_t *num_param,
- uint8_t **data, uint32_t *num_data)
+ uint16_t **setup, uint8_t min_setup,
+ uint8_t *num_setup,
+ uint8_t **param, uint32_t min_param,
+ uint32_t *num_param,
+ uint8_t **data, uint32_t min_data,
+ uint32_t *num_data)
{
struct cli_trans_state *state = tevent_req_data(
req, struct cli_trans_state);
@@ -1216,6 +1219,12 @@ NTSTATUS cli_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
return status;
}
+ if ((state->num_rsetup < min_setup)
+ || (state->rparam.total < min_param)
+ || (state->rdata.total < min_data)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
if (setup != NULL) {
*setup = talloc_move(mem_ctx, &state->rsetup);
*num_setup = state->num_rsetup;
@@ -1247,9 +1256,9 @@ NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli,
uint16_t *setup, uint8_t num_setup, uint8_t max_setup,
uint8_t *param, uint32_t num_param, uint32_t max_param,
uint8_t *data, uint32_t num_data, uint32_t max_data,
- uint16_t **rsetup, uint8_t *num_rsetup,
- uint8_t **rparam, uint32_t *num_rparam,
- uint8_t **rdata, uint32_t *num_rdata)
+ uint16_t **rsetup, uint8_t min_rsetup, uint8_t *num_rsetup,
+ uint8_t **rparam, uint32_t min_rparam, uint32_t *num_rparam,
+ uint8_t **rdata, uint32_t min_rdata, uint32_t *num_rdata)
{
TALLOC_CTX *frame = talloc_stackframe();
struct event_context *ev;
@@ -1285,8 +1294,9 @@ NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli,
goto fail;
}
- status = cli_trans_recv(req, mem_ctx, rsetup, num_rsetup,
- rparam, num_rparam, rdata, num_rdata);
+ status = cli_trans_recv(req, mem_ctx, rsetup, min_rsetup, num_rsetup,
+ rparam, min_rparam, num_rparam,
+ rdata, min_rdata, num_rdata);
fail:
TALLOC_FREE(frame);
if (!NT_STATUS_IS_OK(status)) {
generated by cgit (git 2.34.1) at 2024-07-08 01:29:24 +0000