svn commit: samba r24224 - in branches/SAMBA_3_2/source/smbd: .

[vlendec at samba.org]

Author: vlendec
Date: 2007-08-04 20:28:46 +0000 (Sat, 04 Aug 2007)
New Revision: 24224

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24224

Log:
Check wct in reply_trans
Modified:
   branches/SAMBA_3_2/source/smbd/ipc.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/ipc.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/ipc.c	2007-08-04 20:08:35 UTC (rev 24223)
+++ branches/SAMBA_3_2/source/smbd/ipc.c	2007-08-04 20:28:46 UTC (rev 24224)
@@ -502,15 +502,25 @@
 		int bufsize)
 {
 	int outsize = 0;
-	unsigned int dsoff = SVAL(inbuf, smb_dsoff);
-	unsigned int dscnt = SVAL(inbuf, smb_dscnt);
-	unsigned int psoff = SVAL(inbuf, smb_psoff);
-	unsigned int pscnt = SVAL(inbuf, smb_pscnt);
+	unsigned int dsoff;
+	unsigned int dscnt;
+	unsigned int psoff;
+	unsigned int pscnt;
 	struct trans_state *state;
 	NTSTATUS result;
 
 	START_PROFILE(SMBtrans);
 
+	if (SVAL(inbuf, smb_wct) < 10) {
+		END_PROFILE(SMBtrans);
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
+	dsoff = SVAL(inbuf, smb_dsoff);
+	dscnt = SVAL(inbuf, smb_dscnt);
+	psoff = SVAL(inbuf, smb_psoff);
+	pscnt = SVAL(inbuf, smb_pscnt);
+
 	result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid));
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(2, ("Got invalid trans request: %s\n",
@@ -681,6 +691,11 @@
 
 	show_msg(inbuf);
 
+	if (SVAL(inbuf, smb_wct) < 10) {
+		END_PROFILE(SMBtranss);
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
 	for (state = conn->pending_trans; state != NULL;
 	     state = state->next) {
 		if (state->mid == SVAL(inbuf,smb_mid)) {