From 9d6f2767179fad2f9a067c67c09afddb6304e4eb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 25 Jul 2006 00:57:27 +0000
Subject: r17222: Change the function prototypes for the GENSEc and TLS socket
 creation routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
---
 source4/lib/stream/packet.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'source4/lib/stream/packet.c')

diff --git a/source4/lib/stream/packet.c b/source4/lib/stream/packet.c
index 2759c75214..0d14435486 100644
--- a/source4/lib/stream/packet.c
+++ b/source4/lib/stream/packet.c
@@ -270,6 +270,16 @@ _PUBLIC_ void packet_recv(struct packet_context *pc)
 		return;
 	}
 
+	if (npending + pc->num_read < npending) {
+		packet_error(pc, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
+	if (npending + pc->num_read < pc->num_read) {
+		packet_error(pc, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	/* possibly expand the partial packet buffer */
 	if (npending + pc->num_read > pc->partial.length) {
 		status = data_blob_realloc(pc, &pc->partial, npending+pc->num_read);
@@ -279,6 +289,20 @@ _PUBLIC_ void packet_recv(struct packet_context *pc)
 		}
 	}
 
+	if (pc->partial.length < pc->num_read + npending) {
+		packet_error(pc, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
+	if ((uint8_t *)pc->partial.data + pc->num_read < (uint8_t *)pc->partial.data) {
+		packet_error(pc, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+	if ((uint8_t *)pc->partial.data + pc->num_read + npending < (uint8_t *)pc->partial.data) {
+		packet_error(pc, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	status = socket_recv(pc->sock, pc->partial.data + pc->num_read, 
 			     npending, &nread);
 
@@ -337,6 +361,7 @@ next_partial:
 			packet_error(pc, NT_STATUS_NO_MEMORY);
 			return;
 		}
+		/* Trunate the blob sent to the caller to only the packet length */
 		status = data_blob_realloc(pc, &blob, pc->packet_size);
 		if (!NT_STATUS_IS_OK(status)) {
 			packet_error(pc, status);
-- 
cgit