From 077eb578be1bc9865fc5b32816f8230737e76100 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 20 Jul 2012 09:20:43 +0200 Subject: libcli/smb: check the buffer length in smbXcli_negprot_dispatch_incoming() metze --- libcli/smb/smbXcli_base.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'libcli') diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index dcec6ed79e..14737fb8b1 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3952,16 +3952,23 @@ static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn, struct tevent_req *subreq; struct smbXcli_req_state *substate; struct tevent_req *req; - uint32_t protocol_magic = IVAL(inbuf, 4); + uint32_t protocol_magic; + size_t inbuf_len = smb_len_nbt(inbuf); if (num_pending != 1) { return NT_STATUS_INTERNAL_ERROR; } + if (inbuf_len < 4) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + subreq = conn->pending[0]; substate = tevent_req_data(subreq, struct smbXcli_req_state); req = tevent_req_callback_data(subreq, struct tevent_req); + protocol_magic = IVAL(inbuf, 4); + switch (protocol_magic) { case SMB_MAGIC: tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req); -- cgit