mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:smb2_ioctl: verify credit charge
Based on a patch from Christian Ambach <ambi@samba.org>. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue May 29 18:55:29 CEST 2012 on sn-devel-104
This commit is contained in:
parent
8b4e677720
commit
cee146ff7c
@ -63,6 +63,10 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
|
||||
DATA_BLOB in_output_buffer = data_blob_null;
|
||||
uint32_t in_max_output_length;
|
||||
uint32_t in_flags;
|
||||
uint32_t data_length_in;
|
||||
uint32_t data_length_out;
|
||||
uint32_t data_length_tmp;
|
||||
uint32_t data_length_max;
|
||||
struct tevent_req *subreq;
|
||||
|
||||
status = smbd_smb2_request_verify_sizes(req, 0x39);
|
||||
@ -151,6 +155,27 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
|
||||
in_output_buffer.length = in_output_length;
|
||||
}
|
||||
|
||||
/*
|
||||
* verify the credits and avoid overflows
|
||||
* in_input_buffer.length and in_output_buffer.length
|
||||
* are already verified.
|
||||
*/
|
||||
data_length_in = in_input_buffer.length + in_output_buffer.length;
|
||||
|
||||
data_length_out = in_max_input_length;
|
||||
data_length_tmp = UINT32_MAX - data_length_out;
|
||||
if (data_length_tmp < in_max_output_length) {
|
||||
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
|
||||
}
|
||||
data_length_out += in_max_output_length;
|
||||
|
||||
data_length_max = MAX(data_length_in, data_length_out);
|
||||
|
||||
status = smbd_smb2_request_verify_creditcharge(req, data_length_max);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return smbd_smb2_request_error(req, status);
|
||||
}
|
||||
|
||||
/*
|
||||
* If the Flags field of the request is not SMB2_0_IOCTL_IS_FSCTL the
|
||||
* server MUST fail the request with STATUS_NOT_SUPPORTED.
|
||||
|
Loading…
Reference in New Issue
Block a user