s3: smbd: SMB1 add range checks to reply_fclose().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul  4 15:40:31 UTC 2019 on sn-devel-184

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index d04ff8ec8b7c791e7765900574ba8fabc736d23b..87729b23a83e5a6ebe378b72760afd5b025b0110 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2083,6 +2083,13 @@ void reply_fclose(struct smb_request *req)
                END_PROFILE(SMBfclose);
                return;
        }
+
+       if (smbreq_bufrem(req, p) < 3) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBfclose);
+               return;
+       }
+
        p++;
        status_len = SVAL(p,0);
        p += 2;
@@ -2093,6 +2100,12 @@ void reply_fclose(struct smb_request *req)
                return;
        }
 
+       if (smbreq_bufrem(req, p) < 21) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBfclose);
+               return;
+       }
+
        memcpy(status,p,21);
 
        if(dptr_fetch(sconn, status+12,&dptr_num)) {