s3: smbd: SMB1 add range checks to reply_search().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 20e1468f748786d9a87c6e94732773acf290914a..d04ff8ec8b7c791e7765900574ba8fabc736d23b 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1801,6 +1801,11 @@ void reply_search(struct smb_request *req)
                goto out;
        }
 
+       if (smbreq_bufrem(req, p) < 3) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               goto out;
+       }
+
        p++;
        status_len = SVAL(p, 0);
        p += 2;
@@ -1880,6 +1885,11 @@ void reply_search(struct smb_request *req)
                int status_dirtype;
                const char *dirpath;
 
+               if (smbreq_bufrem(req, p) < 21) {
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       goto out;
+               }
+
                memcpy(status,p,21);
                status_dirtype = CVAL(status,0) & 0x1F;
                if (status_dirtype != (dirtype & 0x1F)) {