s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc()

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Apr 10 02:03:13 CEST 2013 on sn-devel-104

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 274807beb96841700108727650382402f36aa1ea..79aaf76043e330024b9a8c9e9627f6e1efdd202e 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -347,8 +347,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
 size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
                              char **dest, const char *src, int flags)
 {
+       ssize_t bufrem = smbreq_bufrem(req, src);
+
+       if (bufrem < 0) {
+               return 0;
+       }
+
        return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src,
-                                 smbreq_bufrem(req, src), flags);
+                                 bufrem, flags);
 }
 
 /****************************************************************************