s3:libsmb: verify num_setup for SMBnttrans in cli_pull_trans()

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Nov 18 15:13:52 CET 2011 on sn-devel-104

diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index 8ac31d89f1a3099e83574150463bf2cf8b3e492a..5c73e2da74542616e43eb47766800a01416cd8db 100644 (file)
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -120,6 +120,7 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
                if (wct < 18) {
                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
                }
+               expected_num_setup = wct - 18;
                *ptotal_param   = IVAL(vwv, 3);
                *ptotal_data    = IVAL(vwv, 7);
                *pnum_param     = IVAL(vwv, 11);
@@ -129,6 +130,9 @@ static NTSTATUS cli_pull_trans(uint8_t *inbuf,
                data_ofs        = IVAL(vwv, 27);
                *pdata_disp     = IVAL(vwv, 31);
                *pnum_setup     = CVAL(vwv, 35);
+               if (expected_num_setup < (*pnum_setup)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
                *psetup         = vwv + 18;
                break;