s3:smb2_server: get/set info are limited by max_trans size (bug #8473)

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Oct 13 03:32:02 CEST 2011 on sn-devel-104

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 61e0cfa06c387bb45aca9acb681b3fe38b605355..c5d2d62cd9b8d27f0b0f620d3ec4947214183950 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -90,6 +90,13 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
        in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
        in_input_buffer.length = in_input_buffer_length;
 
+       if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+               return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+       }
+       if (in_output_buffer_length > req->sconn->smb2.max_trans) {
+               return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+       }
+
        if (req->compat_chain_fsp) {
                /* skip check */
        } else if (in_file_id_persistent != in_file_id_volatile) {

diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 2d39f11bb555b6075b76439f377e9010104bd9f2..751190ac626e4c2b1263084e7a0b6465bc73d1f7 100644 (file)
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -81,6 +81,10 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req)
        in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
        in_input_buffer.length = in_input_buffer_length;
 
+       if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+               return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+       }
+
        if (req->compat_chain_fsp) {
                /* skip check */
        } else if (in_file_id_persistent != in_file_id_volatile) {