s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc()

author Ralph Wuerthner <ralph.wuerthner@de.ibm.com>

Thu, 4 Apr 2013 11:29:01 +0000 (13:29 +0200)

committer Karolin Seeger <kseeger@samba.org>

Wed, 17 Apr 2013 06:56:03 +0000 (08:56 +0200)
author Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Thu, 4 Apr 2013 11:29:01 +0000 (13:29 +0200)
committer Karolin Seeger <kseeger@samba.org>
Wed, 17 Apr 2013 06:56:03 +0000 (08:56 +0200)
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c

index 3717f366ee8d89d84b53daa7711868a69df5c967..c815a5a9dd49fe0296a32e83b0480a54401fc025 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -346,8 +346,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
  size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
                               char **dest, const char *src, int flags)
  {
+       ssize_t bufrem = smbreq_bufrem(req, src);
+
+       if (bufrem < 0) {
+               return 0;
+       }
+
         return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src,
-                                 smbreq_bufrem(req, src), flags);
+                                 bufrem, flags);
  }
  
  /****************************************************************************
author	Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
	Thu, 4 Apr 2013 11:29:01 +0000 (13:29 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Wed, 17 Apr 2013 06:56:03 +0000 (08:56 +0200)