sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

Fix the offset checks in the trans routines

Browse Source 
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...

Volker
This commit is contained in:
Volker Lendecke 2008-11-08 17:14:06 +01:00 committed by Karolin Seeger
parent 60a639b1ac
commit 64a1d80851
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source/smbd/ipc.c
View File

@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
goto bad_param;
}
if (ddisp > av_size ||
if (doff > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
doff+dcnt > av_size ||
doff+dcnt < doff) {
goto bad_param;
}

6
source/smbd/nttrans.c
View File

@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req)
goto bad_param;
}
if (ddisp > av_size ||
if (doff > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
doff+dcnt > av_size ||
doff+dcnt < doff) {
goto bad_param;
}

6
source/smbd/trans2.c
View File

@ -7783,10 +7783,10 @@ void reply_transs2(struct smb_request *req)
goto bad_param;
}
if (ddisp > av_size ||
if (doff > av_size ||
dcnt > av_size ||
ddisp+dcnt > av_size ||
ddisp+dcnt < ddisp) {
doff+dcnt > av_size ||
doff+dcnt < doff) {
goto bad_param;
}