From cee146ff7c2250d3c723f19357fd1c8541191d08 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 29 May 2012 14:08:43 +0200 Subject: [PATCH] s3:smb2_ioctl: verify credit charge Based on a patch from Christian Ambach . metze Autobuild-User: Stefan Metzmacher Autobuild-Date: Tue May 29 18:55:29 CEST 2012 on sn-devel-104 --- source3/smbd/smb2_ioctl.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index c83162e3680..0d17407cf38 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -63,6 +63,10 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) DATA_BLOB in_output_buffer = data_blob_null; uint32_t in_max_output_length; uint32_t in_flags; + uint32_t data_length_in; + uint32_t data_length_out; + uint32_t data_length_tmp; + uint32_t data_length_max; struct tevent_req *subreq; status = smbd_smb2_request_verify_sizes(req, 0x39); @@ -151,6 +155,27 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) in_output_buffer.length = in_output_length; } + /* + * verify the credits and avoid overflows + * in_input_buffer.length and in_output_buffer.length + * are already verified. + */ + data_length_in = in_input_buffer.length + in_output_buffer.length; + + data_length_out = in_max_input_length; + data_length_tmp = UINT32_MAX - data_length_out; + if (data_length_tmp < in_max_output_length) { + return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + } + data_length_out += in_max_output_length; + + data_length_max = MAX(data_length_in, data_length_out); + + status = smbd_smb2_request_verify_creditcharge(req, data_length_max); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + /* * If the Flags field of the request is not SMB2_0_IOCTL_IS_FSCTL the * server MUST fail the request with STATUS_NOT_SUPPORTED.