From 5e04231e961f10656384a6f16104d0d55b6f3e0e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 12 Oct 2011 17:46:50 +0200
Subject: s3:smb2_server: get/set info are limited by max_trans size (bug
 #8473)

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Oct 13 03:32:02 CEST 2011 on sn-devel-104
---
 source3/smbd/smb2_getinfo.c | 7 +++++++
 source3/smbd/smb2_setinfo.c | 4 ++++
 2 files changed, 11 insertions(+)

(limited to 'source3')

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 61e0cfa06c..c5d2d62cd9 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -90,6 +90,13 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
 	in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
 	in_input_buffer.length = in_input_buffer_length;
 
+	if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+	}
+	if (in_output_buffer_length > req->sconn->smb2.max_trans) {
+		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+	}
+
 	if (req->compat_chain_fsp) {
 		/* skip check */
 	} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 2d39f11bb5..751190ac62 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -81,6 +81,10 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req)
 	in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
 	in_input_buffer.length = in_input_buffer_length;
 
+	if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+	}
+
 	if (req->compat_chain_fsp) {
 		/* skip check */
 	} else if (in_file_id_persistent != in_file_id_volatile) {
-- 
cgit