diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/sesssetup.c | 29 |
1 files changed, 11 insertions, 18 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 71ca7dda52..deab1015f5 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -630,14 +630,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, if (Protocol < PROTOCOL_NT1) { uint16 passlen1 = SVAL(inbuf,smb_vwv7); - if (passlen1 > MAX_PASS_LEN) { - return ERROR_DOS(ERRDOS,ERRbuftoosmall); - } - - if (passlen1 > smb_buflen(inbuf)) { + if ((passlen1 > MAX_PASS_LEN) || (passlen1 > smb_bufrem(inbuf, smb_buf(inbuf)))) { return ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - + if (doencrypt) { lm_resp = data_blob(smb_buf(inbuf), passlen1); } else { @@ -669,13 +665,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, } } - if (passlen1 > MAX_PASS_LEN) { - return ERROR_DOS(ERRDOS,ERRbuftoosmall); - } - - passlen1 = MIN(passlen1, MAX_PASS_LEN); - passlen2 = MIN(passlen2, MAX_PASS_LEN); - if (!doencrypt) { /* both Win95 and WinNT stuff up the password lengths for non-encrypting systems. Uggh. @@ -693,17 +682,21 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, passlen2 = 0; } + /* check for nasty tricks */ + if (passlen1 > MAX_PASS_LEN || passlen1 > smb_bufrem(inbuf, p)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + if (passlen2 > MAX_PASS_LEN || passlen2 > smb_bufrem(inbuf, p+passlen1)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + /* Save the lanman2 password and the NT md4 password. */ if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) { doencrypt = False; } - /* check for nasty tricks */ - if (passlen1 > smb_buflen(inbuf) || passlen2 > smb_buflen(inbuf)) { - return ERROR_NT(NT_STATUS_INVALID_PARAMETER); - } - if (doencrypt) { lm_resp = data_blob(p, passlen1); nt_resp = data_blob(p+passlen1, passlen2); |