For read&x replies, check the offset

author Volker Lendecke <vl@samba.org>

Wed, 19 Nov 2008 21:55:06 +0000 (22:55 +0100)

committer Volker Lendecke <vl@samba.org>

Sat, 13 Dec 2008 09:30:02 +0000 (10:30 +0100)
author Volker Lendecke <vl@samba.org>
Wed, 19 Nov 2008 21:55:06 +0000 (22:55 +0100)
committer Volker Lendecke <vl@samba.org>
Sat, 13 Dec 2008 09:30:02 +0000 (10:30 +0100)
diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c

index ecf49396d119a0e23122bfb3da2c5fc6cf4a0192..1c2a0d56c4cda7919a51d6b066374f54f8b935e7 100644 (file)
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -109,6 +109,7 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received,
         uint16_t *vwv;
         uint16_t num_bytes;
         uint8_t *bytes;
+       uint8_t *buf;
         NTSTATUS status;
         size_t size;
  
@@ -136,6 +137,24 @@ NTSTATUS cli_read_andx_recv(struct async_req *req, ssize_t *received,
                 return NT_STATUS_UNEXPECTED_IO_ERROR;
         }
  
+       /*
+        * bcc field must be valid for small reads, for large reads the 16-bit
+        * bcc field can't be correct.
+        */
+
+       if ((size < 0xffff) && (size > num_bytes)) {
+               DEBUG(5, ("server announced more bytes than sent\n"));
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+
+       buf = (uint8_t *)smb_base(cli_req->inbuf) + SVAL(vwv+6, 0);
+
+       if (trans_oob(smb_len(cli_req->inbuf), SVAL(vwv+6, 0), size)
+           || (buf < bytes)) {
+               DEBUG(5, ("server returned invalid read&x data offset\n"));
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+
         *rcvbuf = (uint8_t *)(smb_base(cli_req->inbuf) + SVAL(vwv + 6, 0));
         *received = size;
         return NT_STATUS_OK;
author	Volker Lendecke <vl@samba.org>
	Wed, 19 Nov 2008 21:55:06 +0000 (22:55 +0100)
committer	Volker Lendecke <vl@samba.org>
	Sat, 13 Dec 2008 09:30:02 +0000 (10:30 +0100)