smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo

Also, don't overflow the client buffer

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9)

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 714a6bdf08bde282572668e2f992d5ffa0a26e64..6f901e3a36e35a24ada78b469c463fbf365f6e3c 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -397,6 +397,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        if (tevent_req_nomem(state->out_output_buffer.data, req)) {
                                return tevent_req_post(req, ev);
                        }
+                       if (data_size > in_output_buffer_length) {
+                               state->out_output_buffer.length =
+                                       in_output_buffer_length;
+                               status = STATUS_BUFFER_OVERFLOW;
+                       }
                }
                SAFE_FREE(data);
                break;
@@ -445,6 +450,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        if (tevent_req_nomem(state->out_output_buffer.data, req)) {
                                return tevent_req_post(req, ev);
                        }
+                       if (data_size > in_output_buffer_length) {
+                               state->out_output_buffer.length =
+                                       in_output_buffer_length;
+                               status = STATUS_BUFFER_OVERFLOW;
+                       }
                }
                SAFE_FREE(data);
                break;