s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard()

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0d9f415a434101017115d5fd5164c71bacdb81d3..5fb10d5c54dcee16245abbb329d2403d0cc84aba 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -318,9 +318,16 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req,
                                 char **pp_dest, const char *src, int flags,
                                 NTSTATUS *err, bool *contains_wcard)
 {
-       return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, req->flags2,
-                                    pp_dest, src, smbreq_bufrem(req, src),
-                                    flags, err, contains_wcard);
+       ssize_t bufrem = smbreq_bufrem(req, src);
+
+       if (bufrem < 0) {
+               *err = NT_STATUS_INVALID_PARAMETER;
+               return 0;
+       }
+
+       return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf,
+                                    req->flags2, pp_dest, src, bufrem, flags,
+                                    err, contains_wcard);
 }
 
 size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,