From eafd0371402009db8051d04b1ae988e8f8817031 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Oct 2003 18:17:41 +0000 Subject: Fix buggy data_len calculation in echo. Add paranoia debug message. Jeremy. (This used to be commit 8fb05cfa3afd9777c161271c4c3cec0d6d5150f2) --- source3/smbd/reply.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/smbd') diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index ec63be32b4..011186ba89 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2784,7 +2784,11 @@ int reply_echo(connection_struct *conn, int outsize = set_message(outbuf,1,data_len,True); START_PROFILE(SMBecho); - data_len = MIN(data_len, (sizeof(inbuf)-(smb_buf(inbuf)-inbuf))); + if (data_len > BUFFER_SIZE) { + DEBUG(0,("reply_echo: data_len too large.\n")); + END_PROFILE(SMBecho); + return -1; + } /* copy any incoming data back out */ if (data_len > 0) -- cgit