Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in...

Cope with zero length data_offset and data_length values.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Sep 21 22:12:40 CEST 2011 on sn-devel-104

diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 444dc840afee8f7d0327056fe4e2485746c2dfc7..b44f28a01ffb33fcad07a4d5714474171a2d11cd 100644 (file)
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -63,9 +63,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
                    name_offset > remaining ||
                    name_length != 4 || /* windows enforces this */
                    name_offset + name_length > remaining ||
-                   data_offset < name_offset + name_length ||
-                   data_offset > remaining ||
-                   data_offset + (uint64_t)data_length > remaining) {
+                   (data_offset && (data_offset < name_offset + name_length)) ||
+                   (data_offset && (data_offset > remaining)) ||
+                   (data_offset && data_length &&
+                               (data_offset + (uint64_t)data_length > remaining))) {
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
@@ -88,6 +89,9 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
                data += next;
 
                if (remaining < 16) {
+                       DEBUG(0,("smb2_create_blob_parse: remaining1 = %d, next = %d\n",
+                               (int)remaining,
+                               (int)next));
                        return NT_STATUS_INVALID_PARAMETER;
                }
        }