s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN (500) in a session setup request

This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cce1eaea91088efd742891befdaafade0c1fdce6)

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4728759c6ccf61c213663198d2ac4c62e4b7aabc..512832847cc3863717ae3c40ab41f72a2a4a3f7f 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -379,10 +379,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
                }
 
                if (!sconn->smb1.sessions.done_sesssetup) {
-                       sconn->smb1.sessions.max_send =
-                               MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+                       if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+                               reply_force_doserror(req, ERRSRV, ERRerror);
+                               return;
+                       }
+                       sconn->smb1.sessions.max_send = smb_bufsize;
+                       sconn->smb1.sessions.done_sesssetup = true;
                }
-               sconn->smb1.sessions.done_sesssetup = true;
 
                /* current_user_info is changed on new vuid */
                reload_services(sconn, conn_snum_used, true);
@@ -1084,10 +1087,14 @@ void reply_sesssetup_and_X(struct smb_request *req)
        req->vuid = sess_vuid;
 
        if (!sconn->smb1.sessions.done_sesssetup) {
-               sconn->smb1.sessions.max_send =
-                       MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+               if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+                       reply_force_doserror(req, ERRSRV, ERRerror);
+                       END_PROFILE(SMBsesssetupX);
+                       return;
+               }
+               sconn->smb1.sessions.max_send = smb_bufsize;
+               sconn->smb1.sessions.done_sesssetup = true;
        }
-       sconn->smb1.sessions.done_sesssetup = true;
 
        END_PROFILE(SMBsesssetupX);
 }