smbd: Fix CID 1351215 Improper use of negative value
authorVolker Lendecke <vl@samba.org>
Wed, 3 Feb 2016 08:18:14 +0000 (09:18 +0100)
committerMichael Adam <obnox@samba.org>
Wed, 3 Feb 2016 14:03:08 +0000 (15:03 +0100)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Feb  3 15:03:09 CET 2016 on sn-devel-144

source3/smbd/smbXsrv_client.c

index fa352aa333a2cfde93e52b840ac2bcf34b52a64b..0e21fc6def6db31548f28e6a5159693d3d56553b 100644 (file)
@@ -290,14 +290,20 @@ NTSTATUS smb2srv_client_connection_pass(struct smbd_smb2_request *smb2req,
        NTSTATUS status;
        struct smbXsrv_connection_pass0 pass_info0;
        struct smbXsrv_connection_passB pass_blob;
+       ssize_t reqlen;
        struct iovec iov;
 
        pass_info0.initial_connect_time = global->initial_connect_time;
        pass_info0.client_guid = global->client_guid;
-       pass_info0.negotiate_request.length = iov_buflen(smb2req->in.vector,
-                                                        smb2req->in.vector_count);
+
+       reqlen = iov_buflen(smb2req->in.vector, smb2req->in.vector_count);
+       if (reqlen == -1) {
+               return NT_STATUS_INVALID_BUFFER_SIZE;
+       }
+
+       pass_info0.negotiate_request.length = reqlen;
        pass_info0.negotiate_request.data = talloc_array(talloc_tos(), uint8_t,
-                                       pass_info0.negotiate_request.length);
+                                                        reqlen);
        if (pass_info0.negotiate_request.data == NULL) {
                return NT_STATUS_NO_MEMORY;
        }