>From 1f9f0ba214340bd54d53c1b61d236302cd7a0ce6 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Wed, 18 Nov 2015 10:09:58 +0000 Subject: [PATCH] fix valgrind error, don't read past available bytes If for example the Ioctl response has an error like "STATUS_FILE_CLOSED" then the fixed len is quite short (e.g. 8 bytes) Double check here if we don't read past the amount of bytes available. Signed-off-by: Noel Power --- libcli/smb/smb2cli_ioctl.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 42a424e..9a78561 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -201,10 +201,10 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) uint8_t *dyn; size_t dyn_len; uint32_t dyn_ofs = SMB2_HDR_BODY + 0x30; - uint32_t input_buffer_offset; - uint32_t input_buffer_length; - uint32_t output_buffer_offset; - uint32_t output_buffer_length; + uint32_t input_buffer_offset = 0; + uint32_t input_buffer_length = 0; + uint32_t output_buffer_offset = 0; + uint32_t output_buffer_length = 0; static const struct smb2cli_req_expected_response expected[] = { { .status = NT_STATUS_OK, @@ -242,10 +242,20 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) dyn = (uint8_t *)iov[2].iov_base; dyn_len = iov[2].iov_len; - input_buffer_offset = IVAL(fixed, 0x18); - input_buffer_length = IVAL(fixed, 0x1C); - output_buffer_offset = IVAL(fixed, 0x20); - output_buffer_length = IVAL(fixed, 0x24); + if (iov[1].iov_len >= (0x24 + sizeof(output_buffer_length))) { + input_buffer_offset = IVAL(fixed, 0x18); + input_buffer_length = IVAL(fixed, 0x1C); + output_buffer_offset = IVAL(fixed, 0x20); + output_buffer_length = IVAL(fixed, 0x24); + } else if (NT_STATUS_IS_OK(status)) { + /* + * This should never happen, to have a short len + * we would expect some error status like NT_STATUS_FILE_CLOSED + */ + tevent_req_nterror( + req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } if (smb2cli_ioctl_is_failure(state->ctl_code, status, output_buffer_length) && tevent_req_nterror(req, status)) { -- 1.8.5.6