s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104

(similar to commit 8aed0fc38ae28cce7fd1a443844a865265fc719c)

Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Thu Feb  5 23:44:30 CET 2015 on sn-devel-104

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 5d2aeb1a206d996d6237d7cfe69c49c4cedd392c..98c6e58d2325b7f1d3a6615b07628e36a33e556e 100644 (file)
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -797,6 +797,8 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn,
                 */
                credits_granted = 0;
        } else {
+               uint16_t additional_possible =
+                       sconn->smb2.max_credits - credit_charge;
                uint16_t additional_max = 0;
                uint16_t additional_credits = credits_requested - 1;
 
@@ -822,6 +824,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn,
                        break;
                }
 
+               additional_max = MIN(additional_max, additional_possible);
                additional_credits = MIN(additional_credits, additional_max);
 
                credits_granted = credit_charge + additional_credits;