summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/smb2/smb2.h2
-rw-r--r--source4/libcli/smb2/transport.c14
2 files changed, 15 insertions, 1 deletions
diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h
index 47dd6fd272..0ff8b87143 100644
--- a/source4/libcli/smb2/smb2.h
+++ b/source4/libcli/smb2/smb2.h
@@ -138,7 +138,7 @@ struct smb2_request {
};
-#define SMB2_MIN_SIZE 0x40
+#define SMB2_MIN_SIZE 0x42
/* offsets into header elements */
#define SMB2_HDR_LENGTH 0x04
diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c
index 04ebb88d4e..04767fa634 100644
--- a/source4/libcli/smb2/transport.c
+++ b/source4/libcli/smb2/transport.c
@@ -148,6 +148,8 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
int len;
struct smb2_request *req = NULL;
uint64_t seqnum;
+ uint16_t buffer_code;
+ uint32_t dynamic_size;
buffer = blob.data;
len = blob.length;
@@ -183,6 +185,18 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE);
req->status = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS));
+ buffer_code = SVAL(req->in.body, 0);
+ req->in.dynamic = NULL;
+ dynamic_size = req->in.body_size - (buffer_code & ~1);
+ if (dynamic_size != 0 && (buffer_code & 1)) {
+ req->in.dynamic = req->in.body + (buffer_code & ~1);
+ if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
+ DEBUG(1,("SMB2 request invalid dynamic size 0x%x\n",
+ dynamic_size));
+ goto error;
+ }
+ }
+
DEBUG(2, ("SMB2 RECV seqnum=0x%llx\n", req->seqnum));
dump_data(5, req->in.body, req->in.body_size);