git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 58db2be)
Fix the offset checks in the trans routines
authorVolker Lendecke <vl@samba.org>
Sat, 8 Nov 2008 16:14:06 +0000 (17:14 +0100)
committerVolker Lendecke <vl@samba.org>
Thu, 27 Nov 2008 16:19:01 +0000 (17:19 +0100)
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...

Volker
(cherry picked from commit 64a1d80851da5b05e70ec6c96f6e9bd473748369)
(cherry picked from commit f04c5650a3aeca23591ddc781c4b297caaf9bb3f)

source3/smbd/ipc.c patch | blob | history
source3/smbd/nttrans.c patch | blob | history
source3/smbd/trans2.c patch | blob | history

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 26a4212ec91f9fda3402be6c4626e67e18198000..a617756a5386051d6c78111d557072eb6471bdd2 100644 (file)
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -769,10 +769,10 @@ void reply_transs(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 8a18c87903728961ff3c5bd0119e3979ef9d4e5c..329ba23ddd0b5619b4fb9f104bac24ef90a36da4 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2818,10 +2818,10 @@ void reply_nttranss(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index c385c6ccb1705469daef9d5a2aada9440f4ecd68..0c63588ccc2c90f38db423343402cd6848d53a83 100644 (file)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -7811,10 +7811,10 @@ void reply_transs2(struct smb_request *req)
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 
Samba Shared Repository