s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN (500) in a session setup request

This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 02cb4458f617ec43fc5d479de07c9f6133c66ee0..4b86a99522fc152843186d66fd1ae0dbfdc15f09 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -383,10 +383,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
                }
 
                if (!sconn->smb1.sessions.done_sesssetup) {
-                       sconn->smb1.sessions.max_send =
-                               MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+                       if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+                               reply_force_doserror(req, ERRSRV, ERRerror);
+                               return;
+                       }
+                       sconn->smb1.sessions.max_send = smb_bufsize;
+                       sconn->smb1.sessions.done_sesssetup = true;
                }
-               sconn->smb1.sessions.done_sesssetup = true;
 
                /* current_user_info is changed on new vuid */
                reload_services(sconn, conn_snum_used, true);
@@ -1088,10 +1091,14 @@ void reply_sesssetup_and_X(struct smb_request *req)
        req->vuid = sess_vuid;
 
        if (!sconn->smb1.sessions.done_sesssetup) {
-               sconn->smb1.sessions.max_send =
-                       MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+               if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+                       reply_force_doserror(req, ERRSRV, ERRerror);
+                       END_PROFILE(SMBsesssetupX);
+                       return;
+               }
+               sconn->smb1.sessions.max_send = smb_bufsize;
+               sconn->smb1.sessions.done_sesssetup = true;
        }
-       sconn->smb1.sessions.done_sesssetup = true;
 
        END_PROFILE(SMBsesssetupX);
 }