svn commit: samba r24467 - in branches/SAMBA_3_2/source/smbd: .
jra at samba.org
jra at samba.org
Wed Aug 15 19:25:40 GMT 2007
Author: jra
Date: 2007-08-15 19:25:38 +0000 (Wed, 15 Aug 2007)
New Revision: 24467
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24467
Log:
Do range checking on incoming smb request.
Jeremy.
Modified:
branches/SAMBA_3_2/source/smbd/process.c
Changeset:
Modified: branches/SAMBA_3_2/source/smbd/process.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/process.c 2007-08-15 17:40:26 UTC (rev 24466)
+++ branches/SAMBA_3_2/source/smbd/process.c 2007-08-15 19:25:38 UTC (rev 24467)
@@ -57,12 +57,26 @@
void init_smb_request(struct smb_request *req, const uint8 *inbuf)
{
+ size_t req_size = smb_len(inbuf);
+ /* Ensure we have at smb_size request. */
+ if (req_size < smb_size) {
+ DEBUG(0,("init_smb_request: invalid request size %u\n",
+ (unsigned int)req_size ));
+ exit_server_cleanly("Invalid SMB request");
+ }
req->flags2 = SVAL(inbuf, smb_flg2);
req->smbpid = SVAL(inbuf, smb_pid);
req->mid = SVAL(inbuf, smb_mid);
req->vuid = SVAL(inbuf, smb_uid);
req->tid = SVAL(inbuf, smb_tid);
req->wct = CVAL(inbuf, smb_wct);
+ /* Ensure we have at least wct words. */
+ if (smb_size + req->wct*2 > req_size) {
+ DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
+ (unsigned int)req->wct,
+ (unsigned int)req_size));
+ exit_server_cleanly("Invalid SMB request");
+ }
req->inbuf = inbuf;
req->outbuf = NULL;
}
More information about the samba-cvs
mailing list