git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f1ab10b)
r22059: Over-allocate and NULL out 100 bytes for lanman.c.
authorVolker Lendecke <vlendec@samba.org>
Tue, 3 Apr 2007 14:16:56 +0000 (14:16 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:19:06 +0000 (12:19 -0500)
Volker
(This used to be commit 0eea6b84cec7e2a3fc1f784d5a9b162f71cc8a02)

source3/smbd/ipc.c patch | blob | history

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index ca128d29d9cce3bb8101f5ec02ef52d1e58ec42f..6e5ff9f0359a165a8444b20cb9e31d404cc4e215 100644 (file)
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -478,8 +478,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 
        if (state->total_data)  {
                /* Can't use talloc here, the core routines do realloc on the
-                * params and data. */
-               state->data = (char *)SMB_MALLOC(state->total_data);
+                * params and data. Out of paranoia, 100 bytes too many. */
+               state->data = (char *)SMB_MALLOC(state->total_data+100);
                if (state->data == NULL) {
                        DEBUG(0,("reply_trans: data malloc fail for %u "
                                 "bytes !\n", (unsigned int)state->total_data));
@@ -487,6 +487,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
                        END_PROFILE(SMBtrans);
                        return(ERROR_DOS(ERRDOS,ERRnomem));
                } 
+               /* null-terminate the slack space */
+               memset(&state->data[state->total_data], 0, 100);
                if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
                        goto bad_param;
                if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
@@ -498,8 +500,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
 
        if (state->total_param) {
                /* Can't use talloc here, the core routines do realloc on the
-                * params and data. */
-               state->param = (char *)SMB_MALLOC(state->total_param);
+                * params and data. Out of paranoia, 100 bytes too many */
+               state->param = (char *)SMB_MALLOC(state->total_param+100);
                if (state->param == NULL) {
                        DEBUG(0,("reply_trans: param malloc fail for %u "
                                 "bytes !\n", (unsigned int)state->total_param));
@@ -508,6 +510,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
                        END_PROFILE(SMBtrans);
                        return(ERROR_DOS(ERRDOS,ERRnomem));
                } 
+               /* null-terminate the slack space */
+               memset(&state->param[state->total_param], 0, 100);
                if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
                        goto bad_param;
                if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
Kai's WIP code