Jeremy.
unsigned int dscnt = SVAL(inbuf, smb_dscnt);
unsigned int psoff = SVAL(inbuf, smb_psoff);
unsigned int pscnt = SVAL(inbuf, smb_pscnt);
+ unsigned int av_size = size-4;
struct trans_state *state;
NTSTATUS result;
}
/* null-terminate the slack space */
memset(&state->data[state->total_data], 0, 100);
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
- if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
- (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
goto bad_param;
+ }
memcpy(state->data,smb_base(inbuf)+dsoff,dscnt);
}
}
/* null-terminate the slack space */
memset(&state->param[state->total_param], 0, 100);
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
- (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(inbuf)+psoff,pscnt);
}
{
int outsize = 0;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
+ unsigned int av_size = size-4;
struct trans_state *state;
NTSTATUS result;
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (pdisp > state->total_param)
- goto bad_param;
- if ((smb_base(inbuf) + poff + pcnt > inbuf + size) ||
- (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp,smb_base(inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
- goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(inbuf) + doff + dcnt > inbuf + size) ||
- (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
+ goto bad_param;
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(inbuf)+doff,
dcnt);
uint32 psoff = IVAL(inbuf,smb_nt_ParameterOffset);
uint32 dscnt = IVAL(inbuf,smb_nt_DataCount);
uint32 dsoff = IVAL(inbuf,smb_nt_DataOffset);
-
+ uint32 av_size = size-4;
+
uint16 function_code = SVAL( inbuf, smb_nt_Function);
NTSTATUS result;
struct trans_state *state;
END_PROFILE(SMBnttrans);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
- if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
- (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
goto bad_param;
+ }
memcpy(state->data,smb_base(inbuf)+dsoff,dscnt);
}
END_PROFILE(SMBnttrans);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
- (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(inbuf)+psoff,pscnt);
}
int size,int bufsize)
{
int outsize = 0;
- unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
+ uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
+ uint32_t av_size = size-4;
struct trans_state *state;
START_PROFILE(SMBnttranss);
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if (pdisp > state->total_param)
- goto bad_param;
- if ((smb_base(inbuf) + poff + pcnt > inbuf + size) ||
- (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
- goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp,smb_base(inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(inbuf) + doff + dcnt > inbuf + size) ||
- (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(inbuf)+doff,
dcnt);
unsigned int psoff = SVAL(inbuf, smb_psoff);
unsigned int pscnt = SVAL(inbuf, smb_pscnt);
unsigned int tran_call = SVAL(inbuf, smb_setup0);
+ unsigned int av_size = size-4;
struct trans_state *state;
NTSTATUS result;
END_PROFILE(SMBtrans2);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
- if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
- goto bad_param;
- if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
- (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
+
+ if (dscnt > state->total_data ||
+ dsoff+dscnt < dsoff) {
goto bad_param;
+ }
+
+ if (dsoff > av_size ||
+ dscnt > av_size ||
+ dsoff+dscnt > av_size) {
+ goto bad_param;
+ }
memcpy(state->data,smb_base(inbuf)+dsoff,dscnt);
}
END_PROFILE(SMBtrans2);
return(ERROR_DOS(ERRDOS,ERRnomem));
}
- if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
+
+ if (pscnt > state->total_param ||
+ psoff+pscnt < psoff) {
goto bad_param;
- if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
- (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)))
+ }
+
+ if (psoff > av_size ||
+ pscnt > av_size ||
+ psoff+pscnt > av_size) {
goto bad_param;
+ }
memcpy(state->param,smb_base(inbuf)+psoff,pscnt);
}
{
int outsize = 0;
unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
+ unsigned int av_size = size-4;
struct trans_state *state;
START_PROFILE(SMBtranss2);
goto bad_param;
if (pcnt) {
- if (pdisp+pcnt > state->total_param)
- goto bad_param;
- if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
- goto bad_param;
- if (pdisp > state->total_param)
+ if (pdisp > state->total_param ||
+ pcnt > state->total_param ||
+ pdisp+pcnt > state->total_param ||
+ pdisp+pcnt < pdisp) {
goto bad_param;
- if ((smb_base(inbuf) + poff + pcnt > inbuf + size) ||
- (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
- goto bad_param;
- if (state->param + pdisp < state->param)
+ }
+
+ if (poff > av_size ||
+ pcnt > av_size ||
+ poff+pcnt > av_size ||
+ poff+pcnt < poff) {
goto bad_param;
+ }
memcpy(state->param+pdisp,smb_base(inbuf)+poff,
pcnt);
}
if (dcnt) {
- if (ddisp+dcnt > state->total_data)
- goto bad_param;
- if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
+ if (ddisp > state->total_data ||
+ dcnt > state->total_data ||
+ ddisp+dcnt > state->total_data ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
- if (ddisp > state->total_data)
- goto bad_param;
- if ((smb_base(inbuf) + doff + dcnt > inbuf + size) ||
- (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
- goto bad_param;
- if (state->data + ddisp < state->data)
+ }
+
+ if (ddisp > av_size ||
+ dcnt > av_size ||
+ ddisp+dcnt > av_size ||
+ ddisp+dcnt < ddisp) {
goto bad_param;
+ }
memcpy(state->data+ddisp, smb_base(inbuf)+doff,
dcnt);