Fix bug #9209 - Parse of invalid SMB2 create blob can cause smbd crash.

Ensure we correctly protect against blobs with data_offset==0
and data_length != 0.

Jeremy.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 27 22:07:02 CEST 2012 on sn-devel-104

diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 189bcd18ae0d4d6c882f751f8bae7d282739b37b..92387db953f74df610459ee45822b2c6fdfa81c4 100644 (file)
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -66,9 +66,8 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
                    name_offset + name_length > remaining ||
                    (data_offset & 0x7) != 0 ||
                    (data_offset && (data_offset < name_offset + name_length)) ||
-                   (data_offset && (data_offset > remaining)) ||
-                   (data_offset && data_length &&
-                               (data_offset + (uint64_t)data_length > remaining))) {
+                   (data_offset > remaining) ||
+                   (data_offset + (uint64_t)data_length > remaining)) {
                        return NT_STATUS_INVALID_PARAMETER;
                }