From 20df0f34a8670f0dd5f3eaeb74af900f535bbe01 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 18 Nov 2011 13:20:43 +0100
Subject: s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Nov 18 15:13:52 CET 2011 on sn-devel-104
---
 source3/libsmb/clitrans.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source3/libsmb/clitrans.c')

diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 8ac31d89f1..5c73e2da74 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -120,6 +120,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		if (wct < 18) {
 			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
+		expected_num_setup = wct - 18;
 		*ptotal_param	= IVAL(vwv, 3);
 		*ptotal_data	= IVAL(vwv, 7);
 		*pnum_param	= IVAL(vwv, 11);
@@ -129,6 +130,9 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
 		data_ofs	= IVAL(vwv, 27);
 		*pdata_disp	= IVAL(vwv, 31);
 		*pnum_setup	= CVAL(vwv, 35);
+		if (expected_num_setup < (*pnum_setup)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
 		*psetup		= vwv + 18;
 		break;
 
-- 
cgit