Tidyup wrap checking.

Jeremy.
(This used to be commit 41d1870a51c259f0cf17caf59928a3b38b21ea11)

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 39072f9b91285fd30a8c88cc942940351d5da694..9bdd02b0593b24debbdba1e97a7261c9b3276ba2 100644 (file)
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -388,7 +388,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                } 
                if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
                        goto bad_param;
-               if (smb_base(inbuf)+dsoff+dscnt > inbuf + size)
+               if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
+                               (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
                        goto bad_param;
 
                memcpy(data,smb_base(inbuf)+dsoff,dscnt);
@@ -402,8 +403,9 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                        return(ERROR_DOS(ERRDOS,ERRnomem));
                } 
                if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
-                        goto bad_param;
-               if (smb_base(inbuf)+psoff+pscnt > inbuf + size)
+                       goto bad_param;
+               if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
+                               (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)));
                        goto bad_param;
 
                memcpy(params,smb_base(inbuf)+psoff,pscnt);
@@ -487,8 +489,11 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                        if (pdisp+pcnt >= tpscnt)
                                goto bad_param;
                        if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
-                                goto bad_param;
-                       if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize)
+                               goto bad_param;
+                       if (pdisp > tpscnt)
+                               goto bad_param;
+                       if ((smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) ||
+                                       (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
                                goto bad_param;
                        if (params + pdisp < params)
                                goto bad_param;
@@ -501,7 +506,10 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                                goto bad_param;
                        if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
                                goto bad_param;
-                       if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize)
+                       if (ddisp > tdscnt)
+                               goto bad_param;
+                       if ((smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) ||
+                                       (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
                                goto bad_param;
                        if (data + ddisp < data)
                                goto bad_param;

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index b4e7a70088d9646dfc7d251dc5684f9d5ea721c2..19af61f1901ecc237e8e9d2455fc51abb63b14ab 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2463,7 +2463,8 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                if ((parameter_offset + parameter_count < parameter_offset) ||
                                (parameter_offset + parameter_count < parameter_count))
                        goto bad_param;
-               if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)
+               if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)||
+                               (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
                        goto bad_param;
 
                memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
@@ -2473,7 +2474,8 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                DEBUG(10,("reply_nttrans: data_count = %d\n",data_count));
                if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count))
                        goto bad_param;
-               if (smb_base(inbuf) + data_offset + data_count > inbuf + length)
+               if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
+                               (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
                        goto bad_param;
 
                memcpy( data, smb_base(inbuf) + data_offset, data_count);
@@ -2534,7 +2536,10 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                                if ((parameter_displacement + parameter_count < parameter_displacement) ||
                                                (parameter_displacement + parameter_count < parameter_count))
                                        goto bad_param;
-                               if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize)
+                               if (parameter_displacement > total_parameter_count)
+                                       goto bad_param;
+                               if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+                                               (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
                                        goto bad_param;
                                if (parameter_displacement + params < params)
                                        goto bad_param;
@@ -2548,7 +2553,10 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                                if ((data_displacement + data_count < data_displacement) ||
                                                (data_displacement + data_count < data_count))
                                        goto bad_param;
-                               if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize)
+                               if (data_displacement > total_data_count)
+                                       goto bad_param;
+                               if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+                                               (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
                                        goto bad_param;
                                if (data_displacement + data < data)
                                        goto bad_param;

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 3d53387c9f1ef15c77be36d95f6427fa4be30090..0f02403184612e53545b2f80863643ea89ba5bb4 100644 (file)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3497,7 +3497,8 @@ int reply_trans2(connection_struct *conn,
                unsigned int psoff = SVAL(inbuf, smb_psoff);
                if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
                        goto bad_param;
-               if (smb_base(inbuf) + psoff + num_params > inbuf + length)
+               if ((smb_base(inbuf) + psoff + num_params > inbuf + length) ||
+                               (smb_base(inbuf) + psoff + num_params < smb_base(inbuf)))
                        goto bad_param;
                memcpy( params, smb_base(inbuf) + psoff, num_params);
        }
@@ -3505,7 +3506,8 @@ int reply_trans2(connection_struct *conn,
                unsigned int dsoff = SVAL(inbuf, smb_dsoff);
                if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
                        goto bad_param;
-               if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
+               if ((smb_base(inbuf) + dsoff + num_data > inbuf + length) ||
+                               (smb_base(inbuf) + dsoff + num_data < smb_base(inbuf)))
                        goto bad_param;
                memcpy( data, smb_base(inbuf) + dsoff, num_data);
        }
@@ -3566,7 +3568,10 @@ int reply_trans2(connection_struct *conn,
                                if ((param_disp + num_params < param_disp) ||
                                                (param_disp + num_params < num_params))
                                        goto bad_param;
-                               if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
+                               if (param_disp > total_params)
+                                       goto bad_param;
+                               if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+                                               (smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
                                        goto bad_param;
                                if (params + param_disp < params)
                                        goto bad_param;
@@ -3579,7 +3584,10 @@ int reply_trans2(connection_struct *conn,
                                if ((data_disp + num_data < data_disp) ||
                                                (data_disp + num_data < num_data))
                                        goto bad_param;
-                               if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
+                               if (data_disp > total_data)
+                                       goto bad_param;
+                               if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+                                               (smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
                                        goto bad_param;
                                if (data + data_disp < data)
                                        goto bad_param;