smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo

We have to return this error if the client offered less than the fixed
portion of the infolevel data requires

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 698e7752ddfa7aa62db83e4fadf70d8a363b8bae..c6a143331b12b0022eb0f66ab92d976d4fa14c2e 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -392,6 +392,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        tevent_req_nterror(req, status);
                        return tevent_req_post(req, ev);
                }
+               if (in_output_buffer_length < fixed_portion) {
+                       SAFE_FREE(data);
+                       tevent_req_nterror(
+                               req, NT_STATUS_INFO_LENGTH_MISMATCH);
+                       return tevent_req_post(req, ev);
+               }
                if (data_size > 0) {
                        state->out_output_buffer = data_blob_talloc(state,
                                                                    data,
@@ -434,6 +440,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        tevent_req_nterror(req, status);
                        return tevent_req_post(req, ev);
                }
+               if (in_output_buffer_length < fixed_portion) {
+                       SAFE_FREE(data);
+                       tevent_req_nterror(
+                               req, NT_STATUS_INFO_LENGTH_MISMATCH);
+                       return tevent_req_post(req, ev);
+               }
                if (data_size > 0) {
                        state->out_output_buffer = data_blob_talloc(state,
                                                                    data,