From 2498a973acba0d7500a7cd6501928161bc0ed31b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Tue, 3 Apr 2007 14:16:56 +0000
Subject: r22059: Over-allocate and NULL out 100 bytes for lanman.c.

Volker
(This used to be commit 0eea6b84cec7e2a3fc1f784d5a9b162f71cc8a02)
---
 source3/smbd/ipc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'source3/smbd/ipc.c')

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index ca128d29d9..6e5ff9f035 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -478,8 +478,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 
 	if (state->total_data)  {
 		/* Can't use talloc here, the core routines do realloc on the
-		 * params and data. */
-		state->data = (char *)SMB_MALLOC(state->total_data);
+		 * params and data. Out of paranoia, 100 bytes too many. */
+		state->data = (char *)SMB_MALLOC(state->total_data+100);
 		if (state->data == NULL) {
 			DEBUG(0,("reply_trans: data malloc fail for %u "
 				 "bytes !\n", (unsigned int)state->total_data));
@@ -487,6 +487,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 			END_PROFILE(SMBtrans);
 			return(ERROR_DOS(ERRDOS,ERRnomem));
 		} 
+		/* null-terminate the slack space */
+		memset(&state->data[state->total_data], 0, 100);
 		if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
 			goto bad_param;
 		if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
@@ -498,8 +500,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 
 	if (state->total_param) {
 		/* Can't use talloc here, the core routines do realloc on the
-		 * params and data. */
-		state->param = (char *)SMB_MALLOC(state->total_param);
+		 * params and data. Out of paranoia, 100 bytes too many */
+		state->param = (char *)SMB_MALLOC(state->total_param+100);
 		if (state->param == NULL) {
 			DEBUG(0,("reply_trans: param malloc fail for %u "
 				 "bytes !\n", (unsigned int)state->total_param));
@@ -508,6 +510,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 			END_PROFILE(SMBtrans);
 			return(ERROR_DOS(ERRDOS,ERRnomem));
 		} 
+		/* null-terminate the slack space */
+		memset(&state->param[state->total_param], 0, 100);
 		if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
 			goto bad_param;
 		if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
-- 
cgit