git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ca17288)
Fix the offset checks in the trans routines
authorVolker Lendecke <vl@samba.org>
Sat, 8 Nov 2008 16:14:06 +0000 (17:14 +0100)
committerKarolin Seeger <kseeger@samba.org>
Thu, 27 Nov 2008 14:19:48 +0000 (15:19 +0100)
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...

Volker
(cherry picked from commit 64a1d80851da5b05e70ec6c96f6e9bd473748369)

source/smbd/ipc.c patch | blob | history
source/smbd/nttrans.c patch | blob | history
source/smbd/trans2.c patch | blob | history

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 6961a5caf15ac17fddf0600124325f9ed6f0e486..a53bc5bea2aea6ae9c0101063704476044f93eeb 100644 (file)
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 4457883063877259c8102dd3ceb9740a3887572f..da7b2bf56a65e7172d4bdcc711235d67358e4013 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2863,10 +2863,10 @@ void reply_nttranss(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index acc424f812405743061186378814662f9b75410e..c7edec1d15490385b6ed22deaf75647dcda2ae44 100644 (file)
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
Samba Shared Repository