smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo

Also, don't overflow the client buffer

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index c6a143331b12b0022eb0f66ab92d976d4fa14c2e..4111aa1dc06006a2e1471f2366cb15a60cb4c31d 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -406,6 +406,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        if (tevent_req_nomem(state->out_output_buffer.data, req)) {
                                return tevent_req_post(req, ev);
                        }
+                       if (data_size > in_output_buffer_length) {
+                               state->out_output_buffer.length =
+                                       in_output_buffer_length;
+                               status = STATUS_BUFFER_OVERFLOW;
+                       }
                }
                SAFE_FREE(data);
                break;
@@ -454,6 +459,11 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                        if (tevent_req_nomem(state->out_output_buffer.data, req)) {
                                return tevent_req_post(req, ev);
                        }
+                       if (data_size > in_output_buffer_length) {
+                               state->out_output_buffer.length =
+                                       in_output_buffer_length;
+                               status = STATUS_BUFFER_OVERFLOW;
+                       }
                }
                SAFE_FREE(data);
                break;