r24319: Check wct in reply_read_and_X

author Volker Lendecke <vlendec@samba.org>

Fri, 10 Aug 2007 21:33:58 +0000 (21:33 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 17:29:28 +0000 (12:29 -0500)
author Volker Lendecke <vlendec@samba.org>
Fri, 10 Aug 2007 21:33:58 +0000 (21:33 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:29:28 +0000 (12:29 -0500)
diff --git a/source/smbd/reply.c b/source/smbd/reply.c

index c02bbc87197a8958240bebb68d0fd1aa580df3d1..3e35c0064bbab8537d3ab8057f697036f79b1ce2 100644 (file)
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -2860,10 +2860,10 @@ normal_read:
  
  int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
  {
-       files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2));
-       SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+       files_struct *fsp;
+       SMB_OFF_T startpos;
         ssize_t nread = -1;
-       size_t smb_maxcnt = SVAL(inbuf,smb_vwv5);
+       size_t smb_maxcnt;
         BOOL big_readX = False;
  #if 0
         size_t smb_mincnt = SVAL(inbuf,smb_vwv6);
@@ -2871,6 +2871,14 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
  
         START_PROFILE(SMBreadX);
  
+       if ((CVAL(inbuf, smb_wct) != 10) && (CVAL(inbuf, smb_wct) != 12)) {
+               return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+       }
+
+       fsp = file_fsp(SVAL(inbuf,smb_vwv2));
+       startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+       smb_maxcnt = SVAL(inbuf,smb_vwv5);
+
         /* If it's an IPC, pass off the pipe handler. */
         if (IS_IPC(conn)) {
                 END_PROFILE(SMBreadX);
author	Volker Lendecke <vlendec@samba.org>
	Fri, 10 Aug 2007 21:33:58 +0000 (21:33 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 17:29:28 +0000 (12:29 -0500)