From 12ed9ca36a4f8d2f3798f357a619389c26c9feea Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 8 Jul 2009 17:02:00 +0200 Subject: s3:smbd: fix parsing of invalid SMB2 requests. Because of 0 - 2 => 0xFFFFFFFE, we got EMSGSIZE from the tstream layer. And terminate the transport connection. Instead we should let the caller deal with the invalid parameter, when checking the body size. So the caller always gets at least a 2 byte body. metze --- source3/smbd/smb2_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 43afb1b901..204e57d860 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1339,7 +1339,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream, if (invalid) { /* the caller should check this */ - body_size = 0; + body_size = 2; } if ((body_size % 2) != 0) { @@ -1376,7 +1376,7 @@ static int smbd_smb2_request_next_vector(struct tstream_context *stream, */ memcpy(body, hdr + SMB2_HDR_BODY, 2); vector[0].iov_base = body + 2; - vector[0].iov_len = req->in.vector[idx].iov_len - 2; + vector[0].iov_len = body_size - 2; vector[1] = req->in.vector[idx+1]; -- cgit