From 09ead9c8fac5e3058e9b6b422171db04dd8dd680 Mon Sep 17 00:00:00 2001
From: James Peach <jpeach@samba.org>
Date: Wed, 18 Oct 2006 03:34:31 +0000
Subject: r19386: Limit the size of the connection bitmap to <64K entries.
 (This used to be commit 9f0518e0b0d4add7cceac6d4d797edddb0080aaa)

---
 source3/smbd/conn.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index 52182f3129..73d2ed7003 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -107,7 +107,7 @@ find_again:
                 int             newsz = bmap->n + BITMAP_BLOCK_SZ;
                 struct bitmap * nbmap;
 
-                if (newsz <= 0) {
+                if (newsz <= oldsz) {
                         /* Integer wrap. */
 		        DEBUG(0,("ERROR! Out of connection structures\n"));
                         return NULL;
@@ -131,6 +131,16 @@ find_again:
                 goto find_again;
 	}
 
+	/* The bitmap position is used below as the connection number
+	 * conn->cnum). This ends up as the TID field in the SMB header,
+	 * which is limited to 16 bits (we skip 0xffff which is the
+	 * NULL TID).
+	 */
+	if (i > 65534) {
+		DEBUG(0, ("Maximum connection limit reached\n"));
+		return NULL;
+	}
+
 	if ((mem_ctx=talloc_init("connection_struct"))==NULL) {
 		DEBUG(0,("talloc_init(connection_struct) failed!\n"));
 		return NULL;
-- 
cgit