git.samba.org / obnox / samba / samba-obnox.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b80111a)
s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf()
authorJeremy Allison <jra@samba.org>
Mon, 18 Mar 2013 22:05:24 +0000 (15:05 -0700)
committerJeremy Allison <jra@samba.org>
Wed, 20 Mar 2013 16:32:26 +0000 (09:32 -0700)
Subtract 4 from smb_size (39) here as the length
of the SMB reply following the 4 byte type+length
field can be up to 0xFFFFFF bytes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/smbd/process.c patch | blob | history

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index fcb970d77bce3a7f73453c77f00cde1e5dccd7e0..1ebda799c96937eba911502b2f0fa614f725ed96 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1270,11 +1270,13 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
                          const char *inbuf, char **outbuf, uint8_t num_words,
                          uint32_t num_bytes)
 {
+       size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
+
        /*
-         * Protect against integer wrap
-         */
-       if ((num_bytes > 0xffffff)
-           || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
+        * Protect against integer wrap.
+        * The SMB layer reply can be up to 0xFFFFFF bytes.
+        */
+       if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
                char *msg;
                if (asprintf(&msg, "num_bytes too large: %u",
                             (unsigned)num_bytes) == -1) {
@@ -1283,8 +1285,11 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
                smb_panic(msg);
        }
 
+       /*
+        * Here we include the NBT header for now.
+        */
        *outbuf = talloc_array(mem_ctx, char,
-                              smb_size + num_words*2 + num_bytes);
+                              NBT_HDR_SIZE + smb_len);
        if (*outbuf == NULL) {
                return false;
        }
@@ -1296,7 +1301,7 @@ static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
         * himself
         */
        if (num_words != 0) {
-               memset(*outbuf + smb_vwv0, 0, num_words*2);
+               memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
        }
 
        return true;
Michael's Samba GIT