svn commit: samba r24155 - in branches/SAMBA_3_2/source/smbd: .

Fri, 03 Aug 2007 06:14:28 -0700 

Author: vlendec
Date: 2007-08-03 13:13:57 +0000 (Fri, 03 Aug 2007)
New Revision: 24155

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24155

Log:
Check wct in reply_trans2
Modified:
   branches/SAMBA_3_2/source/smbd/trans2.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/trans2.c     2007-08-03 12:44:06 UTC (rev 
24154)
+++ branches/SAMBA_3_2/source/smbd/trans2.c     2007-08-03 13:13:57 UTC (rev 
24155)
@@ -7018,16 +7018,27 @@
                 int size, int bufsize)
 {
        int outsize = 0;
-       unsigned int dsoff = SVAL(inbuf, smb_dsoff);
-       unsigned int dscnt = SVAL(inbuf, smb_dscnt);
-       unsigned int psoff = SVAL(inbuf, smb_psoff);
-       unsigned int pscnt = SVAL(inbuf, smb_pscnt);
-       unsigned int tran_call = SVAL(inbuf, smb_setup0);
+       unsigned int dsoff;
+       unsigned int dscnt;
+       unsigned int psoff;
+       unsigned int pscnt;
+       unsigned int tran_call;
        struct trans_state *state;
        NTSTATUS result;
 
        START_PROFILE(SMBtrans2);
 
+       if (SVAL(inbuf, smb_wct) < 8) {
+               END_PROFILE(SMBtrans2);
+               return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+       }
+
+       dsoff = SVAL(inbuf, smb_dsoff);
+       dscnt = SVAL(inbuf, smb_dscnt);
+       psoff = SVAL(inbuf, smb_psoff);
+       pscnt = SVAL(inbuf, smb_pscnt);
+       tran_call = SVAL(inbuf, smb_setup0);
+
        result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid));
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(2, ("Got invalid trans2 request: %s\n",
@@ -7198,6 +7209,11 @@
 
        START_PROFILE(SMBtranss2);
 
+       if (SVAL(inbuf, smb_wct) < 8) {
+               END_PROFILE(SMBtranss2);
+               return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+       }
+
        show_msg(inbuf);
 
        for (state = conn->pending_trans; state != NULL;

Reply via email to