a bit of bounds checking
authorAndrew Tridgell <tridge@samba.org>
Sat, 4 Oct 1997 05:21:47 +0000 (05:21 +0000)
committerAndrew Tridgell <tridge@samba.org>
Sat, 4 Oct 1997 05:21:47 +0000 (05:21 +0000)
(This used to be commit d40199f4fe1344058267859820cb36b77a20442a)

source3/client/clientutil.c

index d16e5a471fcf95f90eb70f9c8a334450b4863d75..ed5497782b337d75818697d3f16c543adc6f1f61 100644 (file)
@@ -126,6 +126,13 @@ BOOL cli_receive_trans_response(char *inbuf,int trans,int *data_len,
     {
       this_data = SVAL(inbuf,smb_drcnt);
       this_param = SVAL(inbuf,smb_prcnt);
+
+      if (this_data + *data_len > total_data ||
+         this_param + *param_len > total_param) {
+             DEBUG(1,("Data overflow in cli_receive_trans_response\n"));
+             return False;
+      }
+
       if (this_data)
        memcpy(*data + SVAL(inbuf,smb_drdisp),
               smb_base(inbuf) + SVAL(inbuf,smb_droff),
@@ -453,6 +460,11 @@ BOOL cli_send_login(char *inbuf, char *outbuf, BOOL start_session, BOOL use_setu
       /* send a session setup command */
       bzero(outbuf,smb_size);
 
+      if (passlen > MAX_PASSWORD_LENGTH) {
+             DEBUG(1,("password too long %d\n", passlen));
+             return False;
+      }
+
       if (Protocol < PROTOCOL_NT1) {
        set_message(outbuf,10,1 + strlen(username) + passlen,True);
        CVAL(outbuf,smb_com) = SMBsesssetupX;