svn commit: samba r3935 - in trunk/source/smbd: .

Wed Nov 24 05:24:32 GMT 2004

Author: jra
Date: 2004-11-24 05:24:32 +0000 (Wed, 24 Nov 2004)
New Revision: 3935

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3935

Log:
Ensure LARGE_READX response must fit within reply buffer.
Jeremy.

Modified:
   trunk/source/smbd/reply.c


Changeset:
Modified: trunk/source/smbd/reply.c
===================================================================

--- trunk/source/smbd/reply.c	2004-11-24 03:42:01 UTC (rev 3934)
+++ trunk/source/smbd/reply.c	2004-11-24 05:24:32 UTC (rev 3935)
@@ -2236,6 +2236,12 @@
 
 	if (global_client_caps & CAP_LARGE_READX) {
 		smb_maxcnt |= ((((size_t)SVAL(inbuf,smb_vwv7)) & 1 )<<16);
+		if (smb_maxcnt > BUFFER_SIZE) {
+			DEBUG(0,("reply_read_and_X - read too large (%u) for reply buffer %u\n",
+				(unsigned int)smb_maxcnt, (unsigned int)BUFFER_SIZE));
+			END_PROFILE(SMBreadX);
+			return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+		}
 	}
 
 	if(CVAL(inbuf,smb_wct) == 12) {

