From b6a3fd6777b4029afca03a36dfdb9bb45c01fa9c Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 4 Oct 1997 05:21:47 +0000
Subject: a bit of bounds checking (This used to be commit
 d40199f4fe1344058267859820cb36b77a20442a)

---
 source3/client/clientutil.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'source3/client')

diff --git a/source3/client/clientutil.c b/source3/client/clientutil.c
index d16e5a471f..ed5497782b 100644
--- a/source3/client/clientutil.c
+++ b/source3/client/clientutil.c
@@ -126,6 +126,13 @@ BOOL cli_receive_trans_response(char *inbuf,int trans,int *data_len,
     {
       this_data = SVAL(inbuf,smb_drcnt);
       this_param = SVAL(inbuf,smb_prcnt);
+
+      if (this_data + *data_len > total_data ||
+	  this_param + *param_len > total_param) {
+	      DEBUG(1,("Data overflow in cli_receive_trans_response\n"));
+	      return False;
+      }
+
       if (this_data)
 	memcpy(*data + SVAL(inbuf,smb_drdisp),
 	       smb_base(inbuf) + SVAL(inbuf,smb_droff),
@@ -453,6 +460,11 @@ BOOL cli_send_login(char *inbuf, char *outbuf, BOOL start_session, BOOL use_setu
       /* send a session setup command */
       bzero(outbuf,smb_size);
 
+      if (passlen > MAX_PASSWORD_LENGTH) {
+	      DEBUG(1,("password too long %d\n", passlen));
+	      return False;
+      }
+
       if (Protocol < PROTOCOL_NT1) {
 	set_message(outbuf,10,1 + strlen(username) + passlen,True);
 	CVAL(outbuf,smb_com) = SMBsesssetupX;
-- 
cgit