[SCM] Samba Shared Repository - branch master updated - fd2bac966783a9aa3f278cc67219920384bc0981

[Volker Lendecke]

The branch, master has been updated
       via  fd2bac966783a9aa3f278cc67219920384bc0981 (commit)
      from  3c66ba0b3cfe9114f28368c30305103ffec68f57 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fd2bac966783a9aa3f278cc67219920384bc0981
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Nov 19 22:55:06 2008 +0100

    For read&x replies, check the offset

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/clireadwrite.c |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index ecf4939..1c2a0d5 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -109,6 +109,7 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received,
 	uint16_t *vwv;
 	uint16_t num_bytes;
 	uint8_t *bytes;
+	uint8_t *buf;
 	NTSTATUS status;
 	size_t size;
 
@@ -136,6 +137,24 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received,
 		return NT_STATUS_UNEXPECTED_IO_ERROR;
 	}
 
+	/*
+	 * bcc field must be valid for small reads, for large reads the 16-bit
+	 * bcc field can't be correct.
+	 */
+
+	if ((size < 0xffff) && (size > num_bytes)) {
+		DEBUG(5, ("server announced more bytes than sent\n"));
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+
+	buf = (uint8_t *)smb_base(cli_req->inbuf) + SVAL(vwv+6, 0);
+
+	if (trans_oob(smb_len(cli_req->inbuf), SVAL(vwv+6, 0), size)
+	    || (buf < bytes)) {
+		DEBUG(5, ("server returned invalid read&x data offset\n"));
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+
 	*rcvbuf = (uint8_t *)(smb_base(cli_req->inbuf) + SVAL(vwv + 6, 0));
 	*received = size;
 	return NT_STATUS_OK;


-- 
Samba Shared Repository