r24357: Check wct in reply_nttrans[s]

(This used to be commit 9ab87e644e4dc54ebbcb8ad300fe338f4a809ba9)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 1500c355d198cdd54fdbb9b1375d869f0aee4e12..566e03008fb32d390bc39e61ccef0e6b9607af11 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -3176,17 +3176,27 @@ int reply_nttrans(connection_struct *conn,
                        char *inbuf,char *outbuf,int size,int bufsize)
 {
        int  outsize = 0;
-       uint32 pscnt = IVAL(inbuf,smb_nt_ParameterCount);
-       uint32 psoff = IVAL(inbuf,smb_nt_ParameterOffset);
-       uint32 dscnt = IVAL(inbuf,smb_nt_DataCount);
-       uint32 dsoff = IVAL(inbuf,smb_nt_DataOffset);
-       
-       uint16 function_code = SVAL( inbuf, smb_nt_Function);
+       uint32 pscnt;
+       uint32 psoff;
+       uint32 dscnt;
+       uint32 dsoff;
+       uint16 function_code;
        NTSTATUS result;
        struct trans_state *state;
 
        START_PROFILE(SMBnttrans);
 
+       if (CVAL(inbuf, smb_wct) < 19) {
+               END_PROFILE(SMBnttrans);
+               return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+       }
+
+       pscnt = IVAL(inbuf,smb_nt_ParameterCount);
+       psoff = IVAL(inbuf,smb_nt_ParameterOffset);
+       dscnt = IVAL(inbuf,smb_nt_DataCount);
+       dsoff = IVAL(inbuf,smb_nt_DataOffset);
+       function_code = SVAL( inbuf, smb_nt_Function);
+
        if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
                END_PROFILE(SMBnttrans);
                return ERROR_DOS(ERRSRV,ERRaccess);
@@ -3353,6 +3363,11 @@ int reply_nttranss(connection_struct *conn,  char *inbuf,char *outbuf,
 
        show_msg(inbuf);
 
+       if (CVAL(inbuf, smb_wct) < 18) {
+               END_PROFILE(SMBnttranss);
+               return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+       }
+
        for (state = conn->pending_trans; state != NULL;
             state = state->next) {
                if (state->mid == SVAL(inbuf,smb_mid)) {