svn commit: samba r24155 - in branches/SAMBA_3_2/source/smbd: .

[vlendec at samba.org]

Author: vlendec
Date: 2007-08-03 13:13:57 +0000 (Fri, 03 Aug 2007)
New Revision: 24155

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24155

Log:
Check wct in reply_trans2
Modified:
   branches/SAMBA_3_2/source/smbd/trans2.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/trans2.c	2007-08-03 12:44:06 UTC (rev 24154)
+++ branches/SAMBA_3_2/source/smbd/trans2.c	2007-08-03 13:13:57 UTC (rev 24155)
@@ -7018,16 +7018,27 @@
 		 int size, int bufsize)
 {
 	int outsize = 0;
-	unsigned int dsoff = SVAL(inbuf, smb_dsoff);
-	unsigned int dscnt = SVAL(inbuf, smb_dscnt);
-	unsigned int psoff = SVAL(inbuf, smb_psoff);
-	unsigned int pscnt = SVAL(inbuf, smb_pscnt);
-	unsigned int tran_call = SVAL(inbuf, smb_setup0);
+	unsigned int dsoff;
+	unsigned int dscnt;
+	unsigned int psoff;
+	unsigned int pscnt;
+	unsigned int tran_call;
 	struct trans_state *state;
 	NTSTATUS result;
 
 	START_PROFILE(SMBtrans2);
 
+	if (SVAL(inbuf, smb_wct) < 8) {
+		END_PROFILE(SMBtrans2);
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
+	dsoff = SVAL(inbuf, smb_dsoff);
+	dscnt = SVAL(inbuf, smb_dscnt);
+	psoff = SVAL(inbuf, smb_psoff);
+	pscnt = SVAL(inbuf, smb_pscnt);
+	tran_call = SVAL(inbuf, smb_setup0);
+
 	result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid));
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(2, ("Got invalid trans2 request: %s\n",
@@ -7198,6 +7209,11 @@
 
 	START_PROFILE(SMBtranss2);
 
+	if (SVAL(inbuf, smb_wct) < 8) {
+		END_PROFILE(SMBtranss2);
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
 	show_msg(inbuf);
 
 	for (state = conn->pending_trans; state != NULL;